- This topic has 5 replies, 4 voices, and was last updated 2 years, 8 months ago by anhalt.
July 6, 2017 at 10:24 pm #1660anhalt
I’m starting this thread as a place to brainstorm with respect to integrating Specify with external authentication services. This would be for institutions or organizations which host their own Specify 7 instances and want users to be able to use existing authentication credentials to access Specify.
We need to identify what authentication protocols will be supported and in what configurations. E.g. LDAP, SAML, oAuth. If we decide to support multiple protocols, we will need to prioritize the order in which they should be addressed.
Fortunately, there exist a number of open source modules for using lots of different authentication schemes with Django, which Specify 7 is based on. These modules may require some adjustment because there is already some customization of the underlying Django authentication system to allow Specify 7 to work with the unmodified Specify 6 datamodel. But, hopefully the modifications would not prove too extensive.
All thoughts and suggestions are welcome!
BenJuly 11, 2017 at 4:37 pm #1661johntorgersen
Here at UM, we use LDAP and ActiveDirectory, so those would be the two in which we would be the most interested.
One of things that we noticed, when enabling LDAP for another product (CollectiveAccess) was that being able to fail over to local accounts and assign members of LDAP groups to local authorization groups were both extremely useful. The separation in Specify requiring a user account to be linked to an Agent record would be the only challenge in the latter function.
JohnJuly 12, 2017 at 5:08 pm #1693garymotz
Currently, IU uses this Central Authentication Service with multi-factor authentication and is required for access to any official Indiana University resource and is being increasingly recommended for adoption by other specific use cases (Specify would be a prime example for which CAS authentication would be strongly recommended).July 13, 2017 at 5:11 pm #1695nelson
We also use LDAP and Active DirectoryJuly 13, 2017 at 7:56 pm #1696garymotz
I did neglect to mention that we do also use ADS and LDAP, and could query our user database using that protocol or Shibboleth or CAS. I apologize for failing to mention ActiveDirectory and LDAP, Nelson’s post after John’s refreshed my memory of ADS/LDAP.
If you’re looking for a SSO method to authenticate Specify against our institutional user database, this KB article may also be helpful.July 14, 2017 at 6:57 pm #1697anhalt
Thanks everyone for the responses so far.
It definitely seems like LDAP would cover the most bases. So, it might make sense to start there and add other options progressively.
One difficulty is that we do not have any expertise in-house on any of these authentication protocols. I only know enough about LDAP to know that there are whole books about it… which I will probably have to start reading soon. 🙂 I wonder if there is enough variation between how it is used or configured at different institutions that we will run into problems making a generic enough interface in Specify to work for everyone.
John, you mentioned failover to local accounts. Do you mean accounts within the app itself, so that e.g. if the external authentication service is unavailable, it is possible to authenticate directly with some other credentials? In other words, for Specify that would mean that you could try to login with your campus username and password, but if that doesn’t work, you could use your old Specify username and password?
- You must be logged in to reply to this topic.