External Authentication in Manila

This page describes code changes for adding external authentication to Manila.

Login page

The first step is to change the login code for all Manila sites, which lives at manilaSuite.members.login. Here is our modified version with our changes highlighted in red.

We've added three function calls in mit.extAuth:

• mit.extAuth.requiresSsl returns a boolean indicating whether SSL is required. This gives the external authentication module a way to indicate its security requirements. We provide this call because the security stakes are higher with organization-wide passwords. SSL is often a requirement. But SSL is not free---you need to purchase a security certificate and Macrobyte TLS, neither of which ship with standard Manila---and adds some complexity to your system. So this function provides an escape route.
• mit.extAuth.isExternal determines from the email address whether the user should be authenticated externally. In our case, we simply check for an @mit.edu email domain. This call allows us to have both local and externally authenticated users.
• mit.extAuth.isValidAccount checks the mail address and password and returns true if they are valid, false if they are not valid. It is the implementation's responsibility to derive the external system username from the mail address. In our case we can get away with using the part of the mail address that comes before the @.

• Push the implementation back into callbacks.
• Qualify all external authentication commands with an "if using external authentication" check.
• Add a conditional check on converting the form action to an SSL URL.

Signup

Tricky! May have to alter or copy whizzy xml-based forms so that external users don't enter passwords.

Have to modify outbound email so that it doesn't send password for external users.