-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: enable single sign-on using Central Authorization Service (CAS) protocol #1211
Comments
Assigned to @Jennoit for internal QA |
@scollazo There are some support/deployment-related considerations with "Run Consider running the command (Source: https://djangocas.dev/docs/latest/configuration.html#database) |
This feature has been successfully tested using SFU sponsored accounts (one administrator and one not an administrator) in both the Archivematica and Storage Service QA instances. The feature works as described and in testing:
|
Docs added in artefactual/archivematica-docs#382 |
QA'd in client environment. |
Please describe the problem you'd like to be solved
Archivematica users are not able to implement single sign-on service using the CAS protocol.
Describe the solution you'd like to see implemented
Feature: CAS single sign-on
Scenario: A user is authenticated through a Central Authentication Service (CAS) single sign-on form and is automatically logged in to an Archivematica session.
Given: The institution hosting Archivematica is running a CAS server.
And: The user has an active CAS account.
And: The user account is present in the Archivematica group member list on the CAS server.
When: The user starts a new session on the institution's domain and navigates to the Archivematica homepage.
Then: The unauthenticated user is redirected to the CAS login form where they enter their CAS username and password.
And: The CAS server successfully authenticates the user, assigns them a session service ticket, and redirects them to the Archivematica server.
And: Archivematica sends the service ticket to the CAS server over HTTPS for validation.
And: The CAS server sends a success response to Archivematica which includes the user attributes set on the CAS server.
And: Archivematica creates a new user account if one matching the CAS account doesn’t already exist.
And: Archivematica sets the user session cookie (with the service ticket stripped off) and redirects the user to a new, authenticated Archivematica session.
And: Archivematica checks its configuration file to see if there are expected CAS attributes for user groups. If so, Archivematica checks whether the user has the appropriate attribute for the Admin group and, if so, elevates their user authorization to admin.
And: If enabled in the Archivematica configuration file, the user's CAS account name will be used as a prefix in combination with the institution's domain name as a suffix to auto-generate an email address for the Archivematica user account, if one does not already exist. This account will be subscribed to Archivematica email notifications.
And: When the user logs out of Archivematica, they are also logged out of the Central Authentication Service.
Additional context
CAS support will be implemented within Archivematica using the django-cas-ng library (https://djangocas.dev/) and extend existing patterns for authentication via Shibboleth and LDAP in Archivematica.
For Artefactual use:
Before you close this issue, you must check off the following:
The text was updated successfully, but these errors were encountered: