Design proposal: External Authentication in Manila

Here is a short proposal for a Manila modification that allows authentication against either the local database or a single remote system.

1. On any page where a user is asked to create a new password (“New Site”, “Sign Up”), we instruct users that have an address ending in @school.edu to leave the password fields blank. Users with emails in other domains should enter passwords as usual. We modify the input validation accordingly. With the exception of the blank passwords, user records are created in the object database at the same time and in the same way for all users.

2. On any page that validates a user’s password (“Login”), we check for an @school.edu extension. If we find one, we validate against the school’s authenticator. If we find some other extension, we check the password in the usual way.

3. Upon successful authentication of an external user, we issue a dummy “native” password as David Carter-Tod describes at http://www.wcc.vccs.edu/dtod/frontier/ldapManila.html, so that mainResponder to use cookies in its usual way.

Assumptions:

• Local and externally authenticated users can be distinguished by looking at their email domains. Hence student@school.edu should be authenticated against the school’s authenticator and alum@corp.com should be authenticated against the local database.
• An externally authenticated user’s username is equal to the first part of their email address. So student@school.edu should be authenticated against the external system with username “student”.
• We will not do anything fancy to synchronize profile information, such as the user’s name and address, against a central system. This information must be entered and managed in Manila for all users.

Benefits:

• No new pages or changes to screen flow.
• Small changes to existing pages.
• (I think) No changes to Manila core.

Questions:

• How do we arrange things so that our modifications to member.login() appear in each new site when it is created?
• What other pages will be affected by our change? E.g. “email my password”.