(Under construction)

Background and Motivation

Currently users may use multiple external authentication modules (webaccess/ExternalAuth) for logging in to Invenio if all the modules provide the same email address for Invenio. However, some users may have an account in multiple institutes that supports different user authentication technologies and most of all, provide different user attributes like email addresses. So, from Invenio's point of view, John Doe authenticated by CERN will be different user from John Doe / SLAC, even though the both accounts were owned by the same person.

The users should have the possibility to use multiple external authentication modules for having access to their single Invenio user account. This would also make the support of novel identity management technologies like OpenID and certain SAML profiles (e.g. persistent identifiers) easier in the future if/when they are considered useful.

New use case

John Doe has an account at both CERN and SLAC. He has been using Invenio with CERN SSO, but now he'd like to use SLAC authentication for the first time.

From the login page, he can click the "SLAC account login" to be authenticated by SLAC systems. After successful authentication, Invenio notices that he is a new user. Instead of registering the new user, user can also choose to link the new account to an existing one. This can be achieved by prompting user to click a login link to an authentication method he has been using so far (CERN SSO in this case). After successful authentication to CERN, Invenio can link the SLAC method for the same user, as he was able to login to both of them.

In his next session, John Doe can select both CERN and SLAC logins to obtain access to the same Invenio account.

Required modifications

(Incomplete) list of required modifications:

user table in the database

At the moment, Invenio's user database table consists of the following fields:

  • id (auto-incremented primary key)
  • email (key)
  • password
  • note
  • settings
  • nickname (key)
  • last_login

There should be a one-to-many (user -> identifiers) field for multiple "login identifiers", possibly consisting of information like johndoe/slac-webauth. In this case the first part would refer to the REMOTE_USER variable set by the Apache mod_webauth protecting SLAC login location.

Other example could be johndoe/cern-sso (HTTP_ADFS_LOGIN Apache environment variable set by Shibboleth at CERN).

ExternalAuth modules


Account linking functionality

The page(s) for linking the new authentication method to an existing account.

Account delinking functionality

Users should be able to manage (delete) their account linkings in e.g. "Your settings" page.

Edit | Attach | Watch | Print version | History: r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r2 - 2008-10-29 - HenriMikkonen
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    Inspire All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback