mantisbt:issue:4235
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
mantisbt:issue:4235 [2008/02/07 08:53] – NT | mantisbt:issue:4235 [2008/10/29 04:36] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== | + | ====== |
* **Author**: NT | * **Author**: NT | ||
Line 12: | Line 12: | ||
We need a means of adding an Authentication method that does not need to patch core functionality.\\ | We need a means of adding an Authentication method that does not need to patch core functionality.\\ | ||
Setting up a system of plugins for authentication would be the best way to acheive this. | Setting up a system of plugins for authentication would be the best way to acheive this. | ||
+ | |||
+ | |||
===== High Level Requirements ===== | ===== High Level Requirements ===== | ||
+ | |||
+ | -> In general terms: Mantis should focus on authorisation, | ||
+ | |||
- Support for authentication via Mantis plugins by supporting protocols that validate a user name/ password. | - Support for authentication via Mantis plugins by supporting protocols that validate a user name/ password. | ||
+ | |||
+ | -> The addition of name/ | ||
+ | |||
- Support for authentication methods that delegate the authentication process to another application. | - Support for authentication methods that delegate the authentication process to another application. | ||
* e.g. Open ID / CAS. | * e.g. Open ID / CAS. | ||
- Support for single sign-on. | - Support for single sign-on. | ||
* e.g. Windows Login, CMS integration, | * e.g. Windows Login, CMS integration, | ||
+ | | ||
+ | -> Requirement for both examples are very different: Windows login crosses the os - browser border, CMS integration doesn' | ||
+ | |||
* The single sign on should work for both Login and Logout scenarios. | * The single sign on should work for both Login and Logout scenarios. | ||
+ | |||
+ | -> When authentication is delegated, Login and Logout are not the responibility of the application, | ||
+ | |||
- Support for hybrid authentication. | - Support for hybrid authentication. | ||
* For example, employees are authenticated against LDAP where customers are authenticated using Mantis standard infrastructure. | * For example, employees are authenticated against LDAP where customers are authenticated using Mantis standard infrastructure. | ||
Line 28: | Line 42: | ||
* For example, pull user information from LDAP when a user logs in for the first time. | * For example, pull user information from LDAP when a user logs in for the first time. | ||
- Prepopulate sign-up form with fields from authentication plugin (e.g.LDAP, OpenId, X.509). | - Prepopulate sign-up form with fields from authentication plugin (e.g.LDAP, OpenId, X.509). | ||
+ | |||
+ | -> Mantis should only store user attributes that it needs for authorisation, | ||
+ | |||
- An authentication plugin should be able to mark some of the user profile information as read only. | - An authentication plugin should be able to mark some of the user profile information as read only. | ||
* For example, user name or email may be marked as read only. | * For example, user name or email may be marked as read only. | ||
+ | |||
+ | -> This way you run the risk of breaking log-in again if the IdP desides to change one of the "read only" params | ||
+ | |||
- Once a user is signed up using a protocol, this protocol should be stamped on the user record and in the future the user should only be able to login via this protocol. | - Once a user is signed up using a protocol, this protocol should be stamped on the user record and in the future the user should only be able to login via this protocol. | ||
+ | |||
+ | -> Mantis should only care about the fact that the user is authenticated, | ||
+ | |||
* For example, if a user is authenticated against Active Directory, then removed from Active Directory, then he/she should not be able to login against their user record in Mantis (use in termination of employment scenarios). | * For example, if a user is authenticated against Active Directory, then removed from Active Directory, then he/she should not be able to login against their user record in Mantis (use in termination of employment scenarios). | ||
+ | |||
+ | -> Pref. this should be done by having mantis request access to mantis for the user, not by periodically syncing the user database. | ||
+ | |||
* This may cause a problem when a user logs in via Windows auth at work, but would like to login from home where he/she is not authenticated in Windows. | * This may cause a problem when a user logs in via Windows auth at work, but would like to login from home where he/she is not authenticated in Windows. | ||
+ | |||
+ | -> If the above condition is met, this is no longer a problem. | ||
+ | |||
- When a user signs on, the protocol used needs to be recorded so that reauthentication and logout use the same protocol. | - When a user signs on, the protocol used needs to be recorded so that reauthentication and logout use the same protocol. | ||
* storing this on the database may be a problem if users are sharing userids. | * storing this on the database may be a problem if users are sharing userids. | ||
* storing in a cookie would be a security concern. | * storing in a cookie would be a security concern. | ||
- Once we have authenticated we should be able to use our credentials to automatically sign the user into another system (e.g. a wiki) and log them out of that system when we log out of mantis. | - Once we have authenticated we should be able to use our credentials to automatically sign the user into another system (e.g. a wiki) and log them out of that system when we log out of mantis. | ||
+ | |||
+ | -> When you introduce delegated authentication, | ||
+ | |||
- Provide functions that can be used by cms integration. | - Provide functions that can be used by cms integration. | ||
* e.g. when you log into a cms, one of its plugins logs you into mantis. | * e.g. when you log into a cms, one of its plugins logs you into mantis. | ||
+ | |||
+ | - seems like the domain of the cms to me. | ||
+ | |||
- On starting mantis, if the users identity can be immediately determined, then they should be automatically logged in without seeing the login pages. | - On starting mantis, if the users identity can be immediately determined, then they should be automatically logged in without seeing the login pages. | ||
* e.g. http or X.509 authentication. | * e.g. http or X.509 authentication. | ||
- Easy Customisation of login, signup and reauthentication pages. | - Easy Customisation of login, signup and reauthentication pages. | ||
+ | |||
+ | -> For delegated authentication, | ||
+ | |||
+ | - Check if user exists on another system, and if not delete/ | ||
+ | |||
+ | -> I fear this will not work as this will require the other applications to open up that authorization db. | ||
+ | |||
+ | - Fetch security levels/ | ||
+ | - (Slightly off topic) What user details are help in mantis long term and are there data protection issues if users cannot remove their accounts. | ||
mantisbt/issue/4235.1202392406.txt.gz · Last modified: 2008/10/29 04:36 (external edit)