[Bug 21577] New: Enable Koha to act as Shibboleth identity provider
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21577 Bug ID: 21577 Summary: Enable Koha to act as Shibboleth identity provider Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Authentication Assignee: koha-bugs@lists.koha-community.org Reporter: josef.moravec@gmail.com QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org For us it is important now, as we are going to append our Koha to national project which aims to enable users to use "all" libraries from one place. Maybe this could be implemented using Net::SAML2::IdP -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21577 Josef Moravec <josef.moravec@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |black23@gmail.com, | |katrin.fischer@bsz-bw.de -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21577 Michal Denar <black23@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rbit@rbit.cz -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21577 --- Comment #1 from Michal Denar <black23@gmail.com> --- MAybe we can use https://metacpan.org/pod/Net::SAML2 -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21577 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.renvoize@ptfs-europe | |.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21577 --- Comment #2 from Josef Moravec <josef.moravec@gmail.com> --- I implemented a module for simplesamlphp that is using ils-di, it is here if anybody interested: https://gitlab.com/josef.moravec/simplesamlphp-koha-ils-di-authentication-mo... -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21577 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au --- Comment #3 from David Cook <dcook@prosentient.com.au> --- Recently, I've been thinking about using Keycloak (https://www.keycloak.org/) as a SAML/OpenID Connect identity provider for Koha, but I suppose Koha is the thing that is acquiring the user information, so maybe it could make sense having it as the identity provider... ...but I'm curious about your use case. I don't think I understand. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21577 Mathieu Pelletier <mkpelletier@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mkpelletier@gmail.com --- Comment #4 from Mathieu Pelletier <mkpelletier@gmail.com> --- Koha was never really written to function as a shibboleth IDP, so this seems to fall outside the purpose of the project. That said, you could use SimpleSAML with the SQL Auth plugin to query Koha's borrowers table, effectively making Koha your source for user data. We have done something similar, but with Moodle as the Idp. For more information, consider looking here: https://simplesamlphp.org/docs/stable/sqlauth:sql -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21577 --- Comment #5 from Josef Moravec <josef.moravec@gmail.com> --- (In reply to Mathieu Pelletier from comment #4)
Koha was never really written to function as a shibboleth IDP, so this seems to fall outside the purpose of the project. That said, you could use SimpleSAML with the SQL Auth plugin to query Koha's borrowers table, effectively making Koha your source for user data. We have done something similar, but with Moodle as the Idp.
For more information, consider looking here: https://simplesamlphp.org/docs/stable/sqlauth:sql
Hi Mathieu, thanks for your comment, we are going to use SimpleSAML for IdP, we just wrote plugin for ILS-DI authentication - it is not ideal, but it works... https://gitlab.com/josef.moravec/simplesamlphp-koha-ils-di-authentication-mo... -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21577 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|enhancement |new feature -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21577 --- Comment #6 from David Cook <dcook@prosentient.com.au> --- (In reply to Josef Moravec from comment #0)
For us it is important now, as we are going to append our Koha to national project which aims to enable users to use "all" libraries from one place.
Could you elaborate on this one? I'm still trying to understand the purpose of this bug report. If you wanted to enable users to use all libraries, wouldn't you want a centralized Identity Provider (like Keycloak) and then connect all the different libraries to it? Or is the idea that the national library would run Koha, control the patron database, and all other libraries in the country would authenticate off that national library Koha? I'm intrigued in any case! -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21577 Paul Derscheid <paul.derscheid@lmscloud.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |paul.derscheid@lmscloud.de -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21577 Amit Gupta <amitddng135@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |amitddng135@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21577 Amit Gupta <amitddng135@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |amit.gupta@informaticsgloba | |l.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21577 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=30962 --- Comment #7 from David Cook <dcook@prosentient.com.au> --- Btw we've added a REST API endpoint for validating username/password at bug 30962 -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21577 --- Comment #8 from David Cook <dcook@prosentient.com.au> --- I also wrote a Keycloak extension that uses the REST API endpoint from bug 30962 which allows you to use Keycloak as the Identity Provider with the Koha user database as the underlying user datastore. I haven't made this extension public yet, as I'm not that keen on supporting it solo. But I suppose I should just do it one of these days... -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21577 --- Comment #9 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #8)
I also wrote a Keycloak extension that uses the REST API endpoint from bug 30962 which allows you to use Keycloak as the Identity Provider with the Koha user database as the underlying user datastore.
I haven't made this extension public yet, as I'm not that keen on supporting it solo. But I suppose I should just do it one of these days...
I've uploaded the Keycloak extension at https://gitlab.com/minusdavid/keycloak-user-storage-koha Hopefully there is enough information there for people to build, deploy, and use it. If not, raise an issue there or email me or something. But that extension allows you to use Keycloak as a SAML/Shibboleth Identity Provider using Koha's user database for authentication. So you can setup Koha to authenticate against Keycloak, and you'll be logging into Keycloak's interface using your Koha username and password. You can then have other systems authenticating against Keycloak using a Koha username and password. This is a way of achieving the goal of bug 21577 without re-inventing the wheel. Keycloak is a great open source identity management system backed by Red Hat, and it's great that we can use it to build up Koha functionality. -- That being said... I should add a warning that this Keycloak extension relies on a deprecated SPI. At some stage, it will go away, although it will be replaced with a new system. At that point, I'll do a new Keycloak extension that uses that. But good to know what's coming down the pipes... -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21577 Michaela Sieber <michaela.sieber@kit.edu> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |clemens.tubach@kit.edu, | |lukasz.koszyk@kit.edu, | |michaela.sieber@kit.edu -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org