ADFS User Mapping Contrib

This module is written to use the information which comes from SSO authentication server.
From there we can use a lot of variables like groups, names and mailing lists.
The idea is to use the available group-information of each user to protect TwikiWebs and / or TwikiTopics.
With this module the users are now allowed to restrict their pages from unauthorized viewing by setting the twiki access control commands (AllowView, DenyView, AllowChange, Denychange) to one of the e-groups from NICE environment.

TIP Tip: http://twiki.org/cgi-bin/view/TWiki/TWikiAccessControl on TWiki.org has additional documentation on access control.

Installation Notes

  • download ADFSUserMapping.pm (save link as..)
  • copy or move the module in your Twiki root directory /twiki/lib/TWiki/Users/
  • open LocalSite.cfg from directory /twiki/lib/
  • rename $TWiki::cfg{UserMappingManager} = 'TWiki::Users::TWikiUserMapping' to $TWiki::cfg{UserMappingManager} = 'TWiki::Users::ADFSUserMapping'

Restricting Access

You can define who is allowed to read or write to a web or a topic. Note that some plugins may not respect access permissions.

  • Restricting VIEW blocks viewing and searching of content. When you restric VIEW to a topic or web, this also restricts INCLUDE and Formatted SEARCH from showing the content of the topics.
  • Restricting CHANGE blocks creating new topics, changing topics or attaching files.

ALERT! Attention: Restricting a whole WEB from viewing for a certain group also restricts Guests from viewing!!

ALERT! Important: Protecting pages by using ADFS groups is case insensitive, but requires strict matching! Be sure to write the group name correct. In case, no warning will appear and you might restrict yourself, if misspelled.

ALERT! Attention: Group has to be written entirely. e.g only "IT" out of IT-DEP-DES causes no protection.

Controlling access to a Web or Topic

You can define restrictions on who is allowed to view a TWiki web or topic.
You can define these settings in the WebPreferences topic, topic preferences or preferable towards the end of the topic:

web:

  • Set ALLOWWEBVIEW = < comma-delimited list of Users, Groups and/or ADFS-Groups >
  • Set DENYWEBCHANGE = < comma-delimited list of Users, Groups and/or ADFS-Groups >
  • Set ALLOWWEBCHANGE = < comma-delimited list of Users, Groups and/or ADFS-Groups >

topic:

  • Set ALLOWTOPICVIEW = < comma-delimited list of Users, Groups and/or ADFS-Groups >
  • Set DENYTOPICCHANGE = < comma-delimited list of Users, Groups and/or ADFS-Groups >
  • Set ALLOWTOPICCHANGE = < comma-delimited list of Users, Groups and/or ADFS-Groups >

examples:

    • Set ALLOWWEBVIEW = TwikiAdminGroup, NICE Users, IT-DEP-DES, Main.RegistredUser, ..
    • Set ALLOWWEBVIEW = NiCe UseRs, it-dep-des

    • Set ALLOWTOPICVIEW = TwikiAdminGroup, CERN Users
    • Set ALLOWTOPICVIEW = TwikiGuest, CERN Users
    • Set DENYTOPICCHANGE = AlexanderBernegger

...

Test Cases

Access control set in a TWiki topic:

  • Test the group with ALLOWTOPICVIEW, ALLOWTOPICCHANGE, DENYTOPICVIEW, DENYTOPICCHANGE.
  • Test with a the user in a TWikiGroup and also in a ADFS group.
  • Test with DENY from one group and ALLOW from another. What happens if you are in both groups?
  • Test with the ADFS group in its various formats. Uppercase, lowercase, with a group email address etc

Access control set in a TWiki WebPreferences:

  • Test the group with ALLOWWEBVIEW, ALLOWWEBCHANGE, DENYWEBVIEW, DENYWEBCHANGE.
  • Test with a the user in a TWikiGroup and also in a ADFS group.
  • Test with DENY from one group and ALLOW from another. What happens if you are in both groups?
  • Test with the ADFS group in its various formats. Uppercase, lowercase, with a group email address etc
  • Test if the settings in the WebPreferences are overwritten by settings in a topic.

Test results: TestResults
Test documentation (.doc): test_addon Alex Bernegger
EgroupPluginTests

Flowchart: DisplayTopic
Usecases for ADFSUserMapping: UseCases
Tests with real User: UserTests
Old development: OldDevPage

-- AlexanderBernegger - 2009-09-23

Topic attachments
I Attachment History Action SizeSorted ascending Date Who Comment
Perl source code filepm ADFSUserMapping.pm r4 r3 r2 r1 manage 9.7 K 2010-05-10 - 15:25 UnknownUser  
Microsoft Word filedoc test_addon.doc r2 r1 manage 131.5 K 2009-11-20 - 13:08 UnknownUser  

This topic: Main > TWikiUsers > AlexanderBernegger > ADFSUserMapping
Topic revision: r34 - 2010-05-10 - unknown
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback