[Bug 40596] New: Migrate CAS and Shibboleth into the identity providers
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Bug ID: 40596 Summary: Migrate CAS and Shibboleth into the identity providers Change sponsored?: --- Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: koha-bugs@lists.koha-community.org Reporter: tomascohen@gmail.com QA Contact: testopia@bugs.koha-community.org When we envisioned the bug 31378 implementation, it was designed to cover other protocols as well. I'm filing this report to work on this. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |tomascohen@gmail.com |ity.org | CC| |tomascohen@gmail.com Depends on| |31378 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31378 [Bug 31378] Add a generic OAuth2/OIDC client implementation -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #1 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- Created attachment 185168 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=185168&action=edit Bug 40596: Add Shibboleth protocol to identity_providers enum Adds 'Shibboleth' to the protocol enum in the identity_providers table to support Shibboleth authentication through the identity provider system. This extends the existing OAuth, OIDC, LDAP, and CAS protocols to include Shibboleth, enabling unified authentication management. Test plan: 1. Apply patch 2. Verify database schema includes Shibboleth in protocol enum 3. Verify existing identity providers continue to work -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #2 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- Created attachment 185169 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=185169&action=edit Bug 40596: Add CAS and Shibboleth Identity Provider classes Adds identity provider implementations for CAS and Shibboleth protocols: * Koha::Auth::Identity::Provider::CAS - Defines mandatory config attributes for CAS providers (cas_url) * Koha::Auth::Identity::Provider::Shibboleth - Defines mandatory config attributes for Shibboleth providers (sso_url, slo_url, entity_id) These classes extend the base identity provider functionality to support protocol-specific configuration validation. Test plan: 1. Apply patch 2. Verify classes can be instantiated 3. Verify mandatory_config_attributes returns expected values 4. Test with identity provider upgrade_class() method -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #3 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- Created attachment 185170 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=185170&action=edit Bug 40596: Add CAS and Shibboleth to protocol class mapping Updates the protocol_to_class_mapping to include CAS and Shibboleth protocols, enabling the upgrade_class() method to properly instantiate the correct provider classes. Changes: * Adds CAS => 'Koha::Auth::Identity::Provider::CAS' * Adds Shibboleth => 'Koha::Auth::Identity::Provider::Shibboleth' Test plan: 1. Apply patch 2. Create identity providers with CAS and Shibboleth protocols 3. Verify upgrade_class() returns correct specialized classes 4. Run t/db_dependent/Koha/Auth/Identity/Provider.t -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #4 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- Created attachment 185171 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=185171&action=edit Bug 40596: Add CAS and Shibboleth authentication clients Implements modern authentication clients for CAS and Shibboleth protocols: Koha::Auth::Client::CAS: * Uses Authen::CAS::Client for ticket validation * Provides get_cas_login_url() and get_cas_logout_url() methods * Handles CAS service validation and user data extraction Koha::Auth::Client::Shibboleth: * Extracts Shibboleth attributes from environment variables * Maps attributes using provider configuration * Supports flexible attribute mapping Both clients extend Koha::Auth::Client and integrate with the modern identity provider architecture while maintaining compatibility with existing authentication flows. Test plan: 1. Apply patch 2. Configure CAS/Shibboleth identity providers 3. Test authentication flows 4. Verify user data extraction and mapping 5. Run t/db_dependent/Koha/Auth/Client.t -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #5 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- Created attachment 185172 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=185172&action=edit Bug 40596: Add client-level user registration and update methods Implements client-level authentication with user registration and update capabilities, moving the logic from controller-level to client-level. Changes to base Koha::Auth::Client: * Added register_user() method for creating new patrons * Added update_user() method for updating existing patrons * Modified get_user() to automatically handle registration/updates based on domain configuration * Uses domain settings (auto_register, update_on_auth) to control behavior This provides the foundation for OAuth to be refactored to use the same client-level registration/update methods, creating a consistent authentication architecture across all protocols. Test plan: 1. Apply patch 2. Configure identity provider domains with auto_register/update_on_auth 3. Test user auto-creation when domain allows it 4. Test user updates when domain allows it 5. Verify CAS and Shibboleth authentication still works 6. Verify OAuth functionality is preserved -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #6 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- Created attachment 185173 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=185173&action=edit Bug 40596: Add CAS and Shibboleth compatibility layers Provides compatibility layers between legacy authentication systems and modern identity provider architecture: Koha::Auth::CASCompat: * get_cas_providers() - Returns CAS configuration in legacy format * authenticate_cas_user() - Bridges legacy checkpw_cas interface to modern clients * Supports both modern identity providers and legacy system preferences Koha::Auth::ShibbolethCompat: * get_shibboleth_provider() - Creates provider from legacy or modern config * authenticate_shibboleth_user() - Bridges legacy checkpw_shib interface * get_shibboleth_config() - Returns config in legacy format * Handles attribute mapping and user auto-creation/updates These layers allow existing code to continue working unchanged while using modern authentication internally. Test plan: 1. Apply patch 2. Test CAS authentication with existing configurations 3. Test Shibboleth authentication with existing configurations 4. Verify user auto-creation and updates work as expected 5. Run t/db_dependent/Auth_with_cas.t 6. Run t/db_dependent/Auth_with_shibboleth.t -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #7 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- Created attachment 185174 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=185174&action=edit Bug 40596: Add authentication provider migration script Provides a migration tool to convert legacy CAS and Shibboleth configurations to modern identity providers. Features: * Migrates casServerUrl system preference to CAS identity provider * Migrates shibboleth configuration to Shibboleth identity provider * Supports dry-run mode to preview changes * Verbose output for detailed migration information * Checks for existing providers to avoid duplicates Usage: perl misc/migration_tools/migrate_authentication_providers.pl [--dry-run] [--verbose] Test plan: 1. Apply patch 2. Set up legacy CAS/Shibboleth configuration 3. Run script with --dry-run to preview migration 4. Run script to perform actual migration 5. Verify identity providers are created correctly 6. Test authentication with migrated providers -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #8 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- Created attachment 185175 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=185175&action=edit Bug 40596: Integrate CAS and Shibboleth compatibility layers into C4::Auth Integrates the modern CAS and Shibboleth compatibility layers into the legacy authentication system, providing a bridge between old and new implementations. Changes to C4::Auth: * Updated imports to use compatibility layers instead of direct legacy calls * Added calls to CASCompat::authenticate_cas_user() for CAS authentication * Added calls to ShibbolethCompat::authenticate_shibboleth_user() for Shibboleth * Updated CAS provider lookup to use CASCompat::get_cas_providers() * Added runtime loading of compatibility modules for test scenarios * Maintains full backward compatibility with existing authentication flows The compatibility layers use modern client-level architecture internally while presenting the legacy interface expected by C4::Auth. Test plan: 1. Apply patch 2. Test CAS authentication with existing configurations 3. Test Shibboleth authentication with existing configurations 4. Test user auto-creation and updates work as expected 5. Run t/db_dependent/Auth.t and verify CAS/Shibboleth tests pass 6. Verify no regressions in OAuth or internal authentication -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #9 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- Created attachment 185176 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=185176&action=edit Bug 40596: Fix Identity Provider test plan for CAS and Shibboleth protocols The upgrade_class() test was failing because it planned 5 tests but ran 9. This happened because we added CAS and Shibboleth protocols to the protocol_to_class_mapping, increasing the number of protocols from 2 to 4. The test runs 2 tests per protocol plus 1 test for invalid protocol: - Original: 2 protocols × 2 tests + 1 = 5 tests - Current: 4 protocols × 2 tests + 1 = 9 tests Updated the test plan to reflect the correct number of tests. Test plan: 1. Apply patch 2. Run prove t/db_dependent/Koha/Auth/Identity/Provider.t 3. Verify all tests pass including upgrade_class() tests -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #10 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- Created attachment 185177 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=185177&action=edit Bug 40596: Fix Shibboleth compatibility layer for test scenarios The Shibboleth compatibility layer needed proper test integration. Instead of bypassing the new code in tests (which would mean tests don't validate production code), this updates the test to mock the new authenticate_shibboleth_user function directly. This ensures: 1. Tests validate the actual production code path 2. The new compatibility layer is properly tested 3. No bypassing of production code in test scenarios 4. Full test coverage of the new authentication architecture The test now mocks Koha::Auth::ShibbolethCompat::authenticate_shibboleth_user instead of the legacy C4::Auth_with_shibboleth::checkpw_shib function, ensuring that the test exercises the same code path as production. Test plan: 1. Apply patch 2. Run prove t/db_dependent/Auth.t 3. Verify all tests pass including Shibboleth tests 4. Verify tests are actually calling the new compatibility layer 5. Run prove t/db_dependent/Auth_with_shibboleth.t 6. Verify Shibboleth-specific tests still pass -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au, | |kyle@bywatersolutions.com, | |martin.renvoize@openfifth.c | |o.uk, | |nick@bywatersolutions.com Status|NEW |In Discussion --- Comment #11 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- Hi, this is a pet project I've been working on. I share it early to gather some opinions. Mostly about design decisions. It is not complete: * no UI changes in IdP config * haven't checked if the optimistic implementation of the IdP handles login correctly in the UI * Some methods are still used from the old classes (logout, etc). We probably need to implement them generically and/or the protocol-specific classes. There's a bug for OAuth2 logout somewhere. I have another patchset in which I wanted to create classes for validating credentials. But then I moved here as I think this protocols could be a PITA in terms of refactoring/moving C4::Auth somewhere else. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=31900 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |hagud@orex.es -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #12 from David Cook <dcook@prosentient.com.au> --- (In reply to Tomás Cohen Arazi (tcohen) from comment #11)
Hi, this is a pet project I've been working on. I share it early to gather some opinions. Mostly about design decisions.
* haven't checked if the optimistic implementation of the IdP handles login correctly in the UI
I'm time poor at the moment, but I'd be keen to try out the SAML using Keycloak. Added Hugo via CC as I think this is a topic that he's interested in, so hopefully he can provide some useful feedback as well. I think he has Koha instances that use CAS, SAML, and OIDC.
* Some methods are still used from the old classes (logout, etc). We probably need to implement them generically and/or the protocol-specific classes. There's a bug for OAuth2 logout somewhere.
I've added the See Also for bug 31900 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=14035 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=12680 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=24880 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=37711 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=37715 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Oliver Behnke <oliver.behnke@aei.mpg.de> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=40650 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Oliver Behnke <oliver.behnke@aei.mpg.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |oliver.behnke@aei.mpg.de --- Comment #13 from Oliver Behnke <oliver.behnke@aei.mpg.de> --- Please note 40650 in this context as well. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|In Discussion |Needs Signoff --- Comment #14 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- Changing the status in case we get more eyes. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=40830 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #15 from David Cook <dcook@prosentient.com.au> --- (In reply to Tomás Cohen Arazi (tcohen) from comment #11)
Hi, this is a pet project I've been working on. I share it early to gather some opinions. Mostly about design decisions.
I don't use Koha's existing CAS and Shibboleth/SAML integrations, unfortunately. We do have our own custom SAML integrations though. Perhaps I could look at those and see how they would factor in. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=39224 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Magnus Enger <magnus@libriotech.no> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |magnus@libriotech.no --- Comment #16 from Magnus Enger <magnus@libriotech.no> --- Can this co-exist with bug 39224, or is there a conflict? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #17 from Oliver Behnke <oliver.behnke@aei.mpg.de> --- I need to ask this: does the planned implementation cover extended patron attributes (see bug 40650)? Without it would be an incomplete solution, IMHO, compared to LDAP for instance. Thanks -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #18 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- (In reply to Magnus Enger from comment #16)
Can this co-exist with bug 39224, or is there a conflict?
Jacob and I will try to make his work resemble this approach more, during this cycle. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #19 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- (In reply to Oliver Behnke from comment #17)
I need to ask this: does the planned implementation cover extended patron attributes (see bug 40650)? Without it would be an incomplete solution, IMHO, compared to LDAP for instance.
Thanks
I think we want feature parity with the current implementation. Then we can add enhancements. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Matthias Meusburger <matthias.meusburger@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |matthias.meusburger@biblibr | |e.com --- Comment #20 from Matthias Meusburger <matthias.meusburger@biblibre.com> --- Hi! If I'm correct, this patch would also allow us to get rid of some parts of "Bug 5630 - CAS improvements", specifically: Bug 5630 : Adds the ability to authenticate against multiple CAS servers That means removing C4/Auth_cas_servers.yaml, no longer needed, and the code that handles it in C4/Auth_with_cas.pm. We should think of migrating from the yaml config to identity provider entries though. Indeed, migrating CAS into the identity providers allows to have multiple CAS servers defined. Moreover, it also does a better job than Auth_cas_servers.yaml since it allows to have different CAS servers defined at OPAC and Intranet if needed. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |39224 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 [Bug 39224] Move Shibboleth config from koha-conf to the DB -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #21 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- I'm taking this one over.. I've borrowed a lot of the idea's from it for a modern server approach, but I'm going to built it on top of the Shibboleth/SAML migration to the UI which reworks the UI in Vue. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Migrate CAS and Shibboleth |Migrate CAS configuration |into the identity providers |into the identity providers -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on|39224 | Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 [Bug 39224] Migrate SAML/Shibboleth configuration into Identity Providers -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |39224 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 [Bug 39224] Migrate SAML/Shibboleth configuration into Identity Providers -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Migrate CAS configuration |Migrate CAS configuration |into the identity providers |into Identity Providers -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |BLOCKED -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|tomascohen@gmail.com |martin.renvoize@openfifth.c | |o.uk -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |41908 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41908 [Bug 41908] Migrate LDAP configuration into Identity Providers -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on|31378 | Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31378 [Bug 31378] Add a generic OAuth2/OIDC client implementation -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch complexity|--- |Medium patch Status|BLOCKED |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #185168|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #185169|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #185170|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #185171|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #185172|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #185173|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #185174|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #185175|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #185176|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #185177|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #22 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195113 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195113&action=edit Bug 40596: DB atomicupdate - add CAS to identity providers, migrate config Adds 'CAS' to the identity_providers.protocol enum and migrates any existing CAS configuration into the identity_providers table: - If Auth_cas_servers.yaml exists, each server becomes a separate identity provider record. - Otherwise, casServerUrl/casServerVersion system preferences are used to create a single provider (code: 'cas'). The casServerUrl and casServerVersion preferences are superseded by the Identity Providers configuration after migration. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #23 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195114 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195114&action=edit Bug 40596: Automated Schema Update Patch from commit 287a03d -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #24 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195115 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195115&action=edit Bug 40596: Add Koha::Auth::Identity::Provider::CAS class Adds a new CAS protocol class to the identity provider framework. CAS providers store their connection details in the config JSON blob: server_url (required) - base URL of the CAS server version (optional) - '2' (default) or '3' Updates Koha::Auth::Identity::Providers to include CAS in the polymorphic protocol map alongside OAuth, OIDC, and SAML2. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #25 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195116 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195116&action=edit Bug 40596: Migrate C4::Auth_with_cas to use identity providers Removes the legacy YAML file and casServerUrl/casServerVersion syspref lookups. All CAS server configuration is now read from the identity_providers table via Koha::Auth::Identity::Providers. Key changes: - multipleAuth() and getMultipleAuth() query enabled CAS providers from the database instead of reading Auth_cas_servers.yaml. - login_cas_url(), login_cas(), and checkpw_cas() look up the provider by code; the provider code is encoded into the CAS service URL as cas_provider=<code> so it is echoed back with the ticket redirect. - logout_cas() accepts an optional provider code parameter; the CAS protocol version is read from the provider's config rather than the casServerVersion system preference. - check_api_auth_cas() uses the same provider lookup for proxy tickets. - Private helper _get_cas_provider() resolves a provider by code or returns the first enabled CAS provider as a default. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #26 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195117 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195117&action=edit Bug 40596: Update C4::Auth to use CAS identity providers Removes the syspref-driven $cas/$caslogout module globals and the conditional loading of C4::Auth_with_cas from the BEGIN block. C4::Auth_with_cas is now imported unconditionally. CAS presence is detected at runtime from the identity_providers table rather than from the casAuthentication system preference: - The casAuthentication template variable is now set from a live DB count of enabled CAS providers. - Login-page CAS URL rendering iterates over identity provider codes instead of Auth_cas_servers.yaml keys; the old ?cas= query parameter is replaced by the cas_provider= parameter embedded in the service URL. - The ticket-validation condition in checkauth and checkpw checks for the cas_provider CGI parameter rather than the $cas global. - cas_provider is stored in the user session alongside cas_ticket so logout_cas receives the correct provider code on sign-out. - The forced-SSO redirect for CAS providers uses login_cas_url() directly with the provider's code. - Proxy-ticket (PT) handling in check_api_auth no longer requires the casAuthentication syspref to be enabled. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #27 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195118 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195118&action=edit Bug 40596: Add CAS protocol to identity provider REST API and admin UI Adds 'CAS' to the identity_provider OpenAPI definition enum so the REST API accepts and returns CAS providers. Extends the Identity Providers admin UI (ProviderResource.vue) with: - CAS option in the protocol dropdown. - CAS settings group with server_url (required) and version (optional, 'CAS 2 or earlier' / 'CAS 3 or later') configuration fields. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #28 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195119 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195119&action=edit Bug 40596: Update CAS authentication tests Updates t/db_dependent/Auth_with_cas.t to reflect the migration from syspref/YAML-based CAS to identity-provider-based CAS: - logout_cas() subtest mocks _get_cas_provider and Authen::CAS::Client instead of the removed _get_cas_and_service helper. - CAS version is now asserted from provider config (get_config) rather than the casServerVersion system preference. - logout_cas() is called with the provider code argument. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #29 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- OK, I don't have a CAS system to test this again, so I've been coding a little blind. Maybe we could test this together at Hackfest Matthias -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Oliver Behnke <oliver.behnke@aei.mpg.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC|oliver.behnke@aei.mpg.de | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #30 from Matthias Meusburger <matthias.meusburger@biblibre.com> --- Hi Martin! First of all, thanks for the patches! I didn't succeed (yet) at configuring Keycloak for CAS authentication in my KTD. (stuck at "unauthorized application" at the moment). However, I would gladly spend some time at hackfest to make this work and test this feature! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #31 from David Cook <dcook@prosentient.com.au> --- (In reply to Matthias Meusburger from comment #30)
Hi Martin!
First of all, thanks for the patches!
I didn't succeed (yet) at configuring Keycloak for CAS authentication in my KTD. (stuck at "unauthorized application" at the moment).
However, I would gladly spend some time at hackfest to make this work and test this feature!
Keycloak can only do OIDC and SAML - not CAS I believe. Unless there is a plugin out there for that? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #32 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #31)
(In reply to Matthias Meusburger from comment #30)
Hi Martin!
First of all, thanks for the patches!
I didn't succeed (yet) at configuring Keycloak for CAS authentication in my KTD. (stuck at "unauthorized application" at the moment).
However, I would gladly spend some time at hackfest to make this work and test this feature!
Keycloak can only do OIDC and SAML - not CAS I believe. Unless there is a plugin out there for that?
Of course, as soon as I say that, I see that there is an extension for it haha. https://www.keycloak.org/extensions https://github.com/jacekkow/keycloak-protocol-cas It could be good to actually include that extension with the Keycloak we're using in KTD. It's so tempting to have a crack at that... but I have so many other things to do too... 😅 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #33 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #32)
Of course, as soon as I say that, I see that there is an extension for it haha.
https://www.keycloak.org/extensions https://github.com/jacekkow/keycloak-protocol-cas
It could be good to actually include that extension with the Keycloak we're using in KTD.
It's so tempting to have a crack at that... but I have so many other things to do too... 😅
It looks like the image we're using is quay.io/keycloak/keycloak I think we'll need to do a custom image. It's not hard to do. I've done it before for the keycloak-user-storage-koha extension I made: https://gitlab.com/minusdavid/keycloak-user-storage-koha/-/blob/master/Docke... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #34 from David Cook <dcook@prosentient.com.au> --- Might need an entry in dockerhub like koha/koha-sso? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #35 from David Cook <dcook@prosentient.com.au> --- That said, sometimes I wonder about trying out Apereo CAS which claims to do just about everything: https://github.com/apereo/cas -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |42074 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42074 [Bug 42074] [Omnibus] Migrate auth mechanisms to Identity Providers -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #195113|0 |1 is obsolete| | Attachment #195114|0 |1 is obsolete| | Attachment #195115|0 |1 is obsolete| | Attachment #195116|0 |1 is obsolete| | Attachment #195117|0 |1 is obsolete| | Attachment #195118|0 |1 is obsolete| | Attachment #195119|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #36 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195787 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195787&action=edit Bug 40596: DB atomicupdate - add CAS to identity providers, migrate config Adds 'CAS' to the identity_providers.protocol enum and migrates any existing CAS configuration into the identity_providers table: - If Auth_cas_servers.yaml exists, each server becomes a separate identity provider record. - Otherwise, casServerUrl/casServerVersion system preferences are used to create a single provider (code: 'cas'). The casServerUrl and casServerVersion preferences are superseded by the Identity Providers configuration after migration. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #37 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195788 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195788&action=edit Bug 40596: Automated Schema Update Patch from commit 2c8df2b -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #38 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195789 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195789&action=edit Bug 40596: Add Koha::Auth::Identity::Provider::CAS class Adds a new CAS protocol class to the identity provider framework. CAS providers store their connection details in the config JSON blob: server_url (required) - base URL of the CAS server version (optional) - '2' (default) or '3' Updates Koha::Auth::Identity::Providers to include CAS in the polymorphic protocol map alongside OAuth, OIDC, and SAML2. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #39 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195790 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195790&action=edit Bug 40596: Migrate C4::Auth_with_cas to use identity providers Removes the legacy YAML file and casServerUrl/casServerVersion syspref lookups. All CAS server configuration is now read from the identity_providers table via Koha::Auth::Identity::Providers. Key changes: - multipleAuth() and getMultipleAuth() query enabled CAS providers from the database instead of reading Auth_cas_servers.yaml. - login_cas_url(), login_cas(), and checkpw_cas() look up the provider by code; the provider code is encoded into the CAS service URL as cas_provider=<code> so it is echoed back with the ticket redirect. - logout_cas() accepts an optional provider code parameter; the CAS protocol version is read from the provider's config rather than the casServerVersion system preference. - check_api_auth_cas() uses the same provider lookup for proxy tickets. - Private helper _get_cas_provider() resolves a provider by code or returns the first enabled CAS provider as a default. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #40 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195791 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195791&action=edit Bug 40596: Update C4::Auth to use CAS identity providers Removes the syspref-driven $cas/$caslogout module globals and the conditional loading of C4::Auth_with_cas from the BEGIN block. C4::Auth_with_cas is now imported unconditionally. CAS presence is detected at runtime from the identity_providers table rather than from the casAuthentication system preference: - The casAuthentication template variable is now set from a live DB count of enabled CAS providers. - Login-page CAS URL rendering iterates over identity provider codes instead of Auth_cas_servers.yaml keys; the old ?cas= query parameter is replaced by the cas_provider= parameter embedded in the service URL. - The ticket-validation condition in checkauth and checkpw checks for the cas_provider CGI parameter rather than the $cas global. - cas_provider is stored in the user session alongside cas_ticket so logout_cas receives the correct provider code on sign-out. - The forced-SSO redirect for CAS providers uses login_cas_url() directly with the provider's code. - Proxy-ticket (PT) handling in check_api_auth no longer requires the casAuthentication syspref to be enabled. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #41 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195792 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195792&action=edit Bug 40596: Add CAS protocol to identity provider REST API and admin UI Adds 'CAS' to the identity_provider OpenAPI definition enum so the REST API accepts and returns CAS providers. Extends the Identity Providers admin UI (ProviderResource.vue) with: - CAS option in the protocol dropdown. - CAS settings group with server_url (required) and version (optional, 'CAS 2 or earlier' / 'CAS 3 or later') configuration fields. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 --- Comment #42 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195793 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195793&action=edit Bug 40596: Update CAS authentication tests Updates t/db_dependent/Auth_with_cas.t to reflect the migration from syspref/YAML-based CAS to identity-provider-based CAS: - logout_cas() subtest mocks _get_cas_provider and Authen::CAS::Client instead of the removed _get_cas_and_service helper. - CAS version is now asserted from provider config (get_config) rather than the casServerVersion system preference. - logout_cas() is called with the provider code argument. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on|39224 |40560 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 [Bug 39224] Migrate SAML/Shibboleth configuration into Identity Providers https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40560 [Bug 40560] Incorrect breadcrumb on recall history -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on|40560 |40650 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40560 [Bug 40560] Incorrect breadcrumb on recall history https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40650 [Bug 40650] Identity providers lack support for extended patron attribute type mapping -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org