Adding an Authentication Service
Users are authenticated to Sundial via a registered and trusted authentication service. Once authenticated by this trusted service, Sundial attempts to locate the user amongst registered users of the Sundial application, associated security groups, and application privileges.
Sundial is able to work with multiple authentication services via a defined interface used by its Security Manager. PHP classes implementing Sundial's Security Manager Interface and providing a mechanism of authentication and validation with a given authentication service may be added to a given site's instantiation of Sundial.
How To Do It
Step One: Create A PHP Class
Interfaces to a given authentication service should be written as a PHP class extending Sundial's ISecurityManager defined in {CALENDAR_ROOT}include/auth/ISecurityManager.class.php. The new interface must implement the base functionality as defined within the ISecurityManager class.
Interfaces are responsible for prompting authentication, validating authentication, maintaining a bit of stateful information, performing a logout process, and destroying stateful information upon logout. Interfaces are not responsible for authorization.
| ISecurityManager.class.php |
|---|
 |
<?php
/*
############################################################################
# Copyright (c) 2004 Columbia College Information Technology,
# all rights reserved.
#
############################################################################
#
# Created by: John Grogan
# Email: jeanluc@columbia.edu
# Created: 2004/05/26 13:50:54
#
############################################################################
#
# This is the interface that allows Sundial's security manager
# to work with various authentication services. Authentication
# service interface classes should extend this interface and implement
# its functionality.
#
############################################################################
*/
class ISecurityManager {
var $_lastErrorMsg;
var $_userName;
var $_userAffiliations;
/* Constructor Function
----------------------------------------------------------------------
your constructor should return true if all settings passed to your
constructor were good and an object could be fully initialized.
otherwise, your constructor should return false.
----------------------------------------------------------------------- */
function ISecurityManager ($settings) {
// the settings passed to your security manager are those defined
// within {CALENDAR_ROOT/include/config.php. validate settings passed
// to your interface
// initialize variables
$this->_userName = null;
$this->_userAffiliations = null;
$this->_lastErrorMsg = null;
return(true);
}
/* Accessor Functions
-----------------------------------------------------------------------
SecurityManager.class.php will call upon the following accessor
methods:
- getLastErrorMessage() -> reports message filed (if any) for last
request.
- getUserName() -> if a user succesfully authenticated,
returns string containing the user name of
the user as known to the authentication
service
- getUserAffiliations() -> if a user succesfully authenticated,
returns array of strings containing names of
security groups or affiliations returned
by the authentication service
----------------------------------------------------------------------- */
// should return string containing error message or empty string
// if no error occurred during last operation
function getLastErrorMessage() {
return($this->_lastErrorMsg);
}
// should return string containing user name or empty string
// if no user authenticated
function getUserName() {
return($this->_userName);
}
function getUserAffiliations() {
// should return array of strings containing user affiliations/
// security groups or null
return($this->_userAffiliations);
}
// private function that sets the last error message
function _setErrorMsg($msg) {
$this->_lastErrorMsg = $msg;
}
/* Task Functions
-----------------------------------------------------------------------
The first thing each task function should do is clear the last error
message recorded during a former task.
----------------------------------------------------------------------- */
// isAuthenticated() should determine whether a user has authenticated
// and return a true or false value to report its finding to Sundial's
// Security Manager
function isAuthenticated () {
// begin afresh
unset($this->_lastErrorMsg);
// return finding as to whether a user has authenticated
if ($userAuthenticated) return(true);
else return(false);
}
// logout() should clear internal state and do whatever is necessary
// to ensure that a user has logged out with the authentication service
// being interfaced with. if the loguout process is succesful, should
// return true. if the logout process fails, should return false.
function logout () {
// begin afresh
unset($this->_lastErrorMsg);
// clear internal object state
unset($this->_userName);
unset($this->_userAffiliations);
// do whatever necessary to logout or clean up state with the
// autentication service
if ($logoutSuccesful) return(true);
else return(false);
}
// authenticate() should do whatever is necessary to authenticate a user
// with a given authentication service (e.g. get a user prompted to
// authenticate, validate response of authentication service, set internal
// state, etc. returns true if authentication process succesful, otherwise
// returns false
function authenticate() {
// begin afresh
unset($this->_lastErrorMsg);
// clear state
unset($this->_userName);
unset($this->_userAffiliations);
// do whatever is necessary to authentication a user using
// authentication service
// convert user affiliations / security groups returned to
// an array of strings
// set the userName and userAffiliations
$this->_userName = $returnedUserName;
$this->_userAffiliations = $returnedUserAffiliationsArray;
if ($authenticationSuccesful) return(true);
else return(false);
} // endFunction authenticate()
} // endInterface
?>
|
Step Two: Install the New Class
Once the PHP class implementing an interface to the authentication service has been established, the class and all associated files should be placed within the following directory:
{CALENDAR_ROOT}include/auth/
Step Three: Register the Authentication Service
For Sundial to use the new authentication service, the authentication service must be registered within Sundial's global configuration file:
{CALENDAR_ROOT}include/config.php
To register the authentication service, you must define the following items:
-
namespace - The namespace which will be associated with users and affiliations returned via the authentication service.
-
classLib - The name of the class library which implements an interface for the authentication service.
-
className - The name of the php class within the class library
-
settings - An optional associative array of any settings required to configure the behavior of the authentication service.
These items are declared within an associative array and added to the $g_authServices array which is keyed on an authentication services code used throughout Sundial and its interfaces to specify the authentication service to be used in authenticating users.
If the new authentication service is to be the default authentication service for the installation of Sundial, the SECURITY_MANAGER_DEFAULT_AUTHENTICATION_SERVICE may be set to the authentication service code elected.
| config.php |
|---|
|
// default authentication service
define("SECURITY_MANAGER_DEFAULT_AUTHENTICATION_SERVICE", "wind");
// register authentication services that may be used with
// installed instance of Sundial and set their configuration options
$g_authServices =
array(
"local" => array("nameSpace" => "local",
"classLib" => "ILocal.class.php",
"className" => "ILocal"),
"wind" => array("nameSpace" => "CU",
"classLib" => "IWind.class.php",
"className" => "IWind",
"settings" => array("windService" => "sundial",
"fetchAffiliations" => true,
"logoutDestinationUrl" => CALENDAR_FULL_URL . "logout.php")));
|