User Tools

  • Logged in as: anonymous (anonymous)
  • Log Out

Site Tools


mantisbt:issue:4235

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
mantisbt:issue:4235 [2008/02/07 08:53] NTmantisbt:issue:4235 [2008/10/29 04:36] (current) – external edit 127.0.0.1
Line 1: Line 1:
-====== Requirements for Plugable Authentication ======+====== Pluggable Authentication ======
  
    * **Author**: NT    * **Author**: NT
Line 12: Line 12:
 We need a means of adding an Authentication method that does not need to patch core functionality.\\  We need a means of adding an Authentication method that does not need to patch core functionality.\\ 
 Setting up a system of plugins for authentication would be the best way to acheive this. Setting up a system of plugins for authentication would be the best way to acheive this.
 +
 +
  
  
  
 ===== High Level Requirements ===== ===== High Level Requirements =====
 +
 +-> In general terms: Mantis should focus on authorisation, not on authentication. Authorization is the domain of either an internal module, or delegated away to an external Identity Provider (IdP)
 +
   - Support for authentication via Mantis plugins by supporting protocols that validate a user name/ password.   - Support for authentication via Mantis plugins by supporting protocols that validate a user name/ password.
 +
 +-> The addition of name/password is not needed, as some protocols may not use passwords for validation (but e.g. use certificates). A suggestion for a   description here would be: "supporting protocols that provide a validated identity". Mantis should not care how this validation came to be.
 +
   -  Support for authentication methods that delegate the authentication process to another application.   -  Support for authentication methods that delegate the authentication process to another application.
     * e.g. Open ID / CAS.     * e.g. Open ID / CAS.
   - Support for single sign-on.   - Support for single sign-on.
     * e.g. Windows Login, CMS integration, etc.      * e.g. Windows Login, CMS integration, etc. 
 +    
 +-> Requirement for both examples are very different: Windows login crosses the os - browser border, CMS integration doesn't. I would suggest to name both as separate requirements.
 +
     * The single sign on should work for both Login and Logout scenarios.     * The single sign on should work for both Login and Logout scenarios.
 +
 +-> When authentication is delegated, Login and Logout are not the responibility of the application, but are in fact links to the pages on the IdP whare a user can logon or logoff
 +
   - Support for hybrid authentication.    - Support for hybrid authentication. 
     * For example, employees are authenticated against LDAP where customers are authenticated using Mantis standard infrastructure.     * For example, employees are authenticated against LDAP where customers are authenticated using Mantis standard infrastructure.
Line 28: Line 42:
     * For example, pull user information from LDAP when a user logs in for the first time.     * For example, pull user information from LDAP when a user logs in for the first time.
   - Prepopulate sign-up form with fields from authentication plugin (e.g.LDAP, OpenId, X.509).   - Prepopulate sign-up form with fields from authentication plugin (e.g.LDAP, OpenId, X.509).
 +
 +-> Mantis should only store user attributes that it needs for authorisation, not for authentication. Therefor propolulation fields containing authentication data is not a good idea. This will break log-in's as the IdP providing authentication might decide to change these (e.g. change the password after 30 days)
 +
   - An authentication plugin should be able to mark some of the user profile information as read only.    - An authentication plugin should be able to mark some of the user profile information as read only. 
     * For example, user name or email may be marked as read only.     * For example, user name or email may be marked as read only.
 +
 +-> This way you run the risk of breaking log-in again if the IdP desides to change one of the "read only" params
 +
   - Once a user is signed up using a protocol, this protocol should be stamped on the user record and in the future the user should only be able to login via this protocol.    - Once a user is signed up using a protocol, this protocol should be stamped on the user record and in the future the user should only be able to login via this protocol. 
 +
 +-> Mantis should only care about the fact that the user is authenticated, not how this came to be.
 +
     * For example, if a user is authenticated against Active Directory, then removed from Active Directory, then he/she should not be able to login against their user record in Mantis (use in termination of employment scenarios).     * For example, if a user is authenticated against Active Directory, then removed from Active Directory, then he/she should not be able to login against their user record in Mantis (use in termination of employment scenarios).
 +
 +-> Pref. this should be done by having mantis request access to mantis for the user, not by periodically syncing the user database.
 +
     * This may cause a problem when a user logs in via Windows auth at work, but would like to login from home where he/she is not authenticated in Windows.     * This may cause a problem when a user logs in via Windows auth at work, but would like to login from home where he/she is not authenticated in Windows.
 +
 +-> If the above condition is met, this is no longer a problem.
 +
   - When a user signs on, the protocol used needs to be recorded so that reauthentication and logout use the same protocol.       - When a user signs on, the protocol used needs to be recorded so that reauthentication and logout use the same protocol.    
     * storing this on the database may be a problem if users are sharing userids.     * storing this on the database may be a problem if users are sharing userids.
     * storing in a cookie would be a security concern.     * storing in a cookie would be a security concern.
   -  Once we have authenticated we should be able to use our credentials to automatically sign the user into another system (e.g. a wiki) and log them out of that system when we log out of mantis.   -  Once we have authenticated we should be able to use our credentials to automatically sign the user into another system (e.g. a wiki) and log them out of that system when we log out of mantis.
 +
 +-> When you introduce delegated authentication, single sign-on is not the  responsibility of the application. Single sign-on is the result of the fact that different applications, e.g. Mambo and Mantis share a common identity provider and are able the take note of a common authentication token, e.g. a cookie containing an authentication information. This leads to the fact that the application itself does not have controle over login and logout and does not need to care about it. It just needs to check if the delegated authentication system provides a go or no-go and act accordingly. 
 +
   - Provide functions that can be used by cms integration.    - Provide functions that can be used by cms integration. 
     * e.g. when you log into a cms, one of its plugins logs you into mantis.     * e.g. when you log into a cms, one of its plugins logs you into mantis.
 +
 +- seems like the domain of the cms to me.
 +
   - On starting mantis, if the users identity can be immediately determined, then they should be automatically logged in without seeing the login pages.   - On starting mantis, if the users identity can be immediately determined, then they should be automatically logged in without seeing the login pages.
     * e.g. http or X.509 authentication.     * e.g. http or X.509 authentication.
   - Easy Customisation of login, signup and reauthentication pages.   - Easy Customisation of login, signup and reauthentication pages.
 +
 +-> For delegated authentication, these pages are part of the idp, not of the local application. The local application redirects the user to the idp in case of an access denied
 +
 +  - Check if user exists on another system, and if not delete/disable them in mantis
 +
 +-> I fear this will not work as this will require the other applications to open up that authorization db. 
 +
 +  - Fetch security levels/permissions from another system to allow central administration.
 +  - (Slightly off topic) What user details are help in mantis long term and are there data protection issues if users cannot remove their accounts.
  
  
mantisbt/issue/4235.1202392406.txt.gz · Last modified: 2008/10/29 04:36 (external edit)

Driven by DokuWiki