External authentication services

Home Forums Developer Forum External authentication services

This topic contains 5 replies, has 4 voices, and was last updated by  anhalt 1 year, 5 months ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #1660

    anhalt

    Hello all,

    I’m starting this thread as a place to brainstorm with respect to integrating Specify with external authentication services. This would be for institutions or organizations which host their own Specify 7 instances and want users to be able to use existing authentication credentials to access Specify.

    We need to identify what authentication protocols will be supported and in what configurations. E.g. LDAP, SAML, oAuth. If we decide to support multiple protocols, we will need to prioritize the order in which they should be addressed.

    Fortunately, there exist a number of open source modules for using lots of different authentication schemes with Django, which Specify 7 is based on. These modules may require some adjustment because there is already some customization of the underlying Django authentication system to allow Specify 7 to work with the unmodified Specify 6 datamodel. But, hopefully the modifications would not prove too extensive.

    All thoughts and suggestions are welcome!

    Thanks,

    Ben

    #1661
    johntorgersen
    johntorgersen

    Here at UM, we use LDAP and ActiveDirectory, so those would be the two in which we would be the most interested.

    One of things that we noticed, when enabling LDAP for another product (CollectiveAccess) was that being able to fail over to local accounts and assign members of LDAP groups to local authorization groups were both extremely useful. The separation in Specify requiring a user account to be linked to an Agent record would be the only challenge in the latter function.

    Thank you,
    John

    #1693
    garymotz
    garymotz

    Here at IU, we use CAS and see KB article CAS integration at IU for how we’d have to implement CAS into the Specify7 interface.

    Currently, IU uses this Central Authentication Service with multi-factor authentication and is required for access to any official Indiana University resource and is being increasingly recommended for adoption by other specific use cases (Specify would be a prime example for which CAS authentication would be strongly recommended).

    #1695

    nelson

    We also use LDAP and Active Directory

    #1696
    garymotz
    garymotz

    I did neglect to mention that we do also use ADS and LDAP, and could query our user database using that protocol or Shibboleth or CAS. I apologize for failing to mention ActiveDirectory and LDAP, Nelson’s post after John’s refreshed my memory of ADS/LDAP.

    If you’re looking for a SSO method to authenticate Specify against our institutional user database, this KB article may also be helpful.

    #1697

    anhalt

    Thanks everyone for the responses so far.

    It definitely seems like LDAP would cover the most bases. So, it might make sense to start there and add other options progressively.

    One difficulty is that we do not have any expertise in-house on any of these authentication protocols. I only know enough about LDAP to know that there are whole books about it… which I will probably have to start reading soon. 🙂 I wonder if there is enough variation between how it is used or configured at different institutions that we will run into problems making a generic enough interface in Specify to work for everyone.

    John, you mentioned failover to local accounts. Do you mean accounts within the app itself, so that e.g. if the external authentication service is unavailable, it is possible to authenticate directly with some other credentials? In other words, for Specify that would mean that you could try to login with your campus username and password, but if that doesn’t work, you could use your old Specify username and password?

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.