Details
-
Improvement
-
Status: Resolved
-
Minor
-
Resolution: Fixed
-
2.3
-
None
Description
It would be, in certain cases, useful for Shibboleth-authenticated users to have access to the XMLRPC interface.
If an external web application (e.g. Moodle) were to use the remote API and if the corresponding user is authenticated in the VCL via Shibboleth, then there are two reasons why this currently fails. First, a Shibbolized VCL knows nothing about a user's password and would not be able to authenticate a user based on that. Second, there is no means for handling a user from an affiliation with 'type' => 'redirect' (specified in $authMechs) in the utils.php:checkAccess() function.
If the password field is, instead, an authentication token known only (internally) by the remote application, and if authentication requests must pass through an IP-based filter, then it is possible to retain a sufficiently high level of security in the application, while allowing remote applications to make reservation requests on behalf of Shibboleth users. The verification function could be defined in conf.php and therefore controlled by the local VCL administrator.