Joomla IdP Implementation
Stan
scivocis.com/) that are not associated with a university or large
company. These scientists do not have online full text access to the
primary scientific literature and I am trying to change this.
I am pioneering a purchasing/access model different from that used
by universities and large corporations and need to implement an
identity provider solution so that my users can be authenticated by
major publishers such as Elsevier and Nature Publishing Group.
My current web site is based on Joomla.
I do not know PHP, am not comfortable on the command line and I am new
to authentication schemes. Do you think this is something I can do
myself or should I hire someone?
Any advice or guidance would be deeply appreciated.
Thank you very much,
--Stan
http://www.linkedin.com/pub/stanley-f-barnett/10/797/b56
Peter Schober
> I do not know PHP, am not comfortable on the command line and I am
> new to authentication schemes. Do you think this is something I can
> do myself or should I hire someone?
At the very least you need to be able to use a text editor of some
kind and make changes to configuration files (that are PHP files
syntactically, but there is no programming involved for most
deployments).
If you have some time to spare you could try how far you get following
the available documentation for installation and configuration.
-peter
Peter Schober
> At the very least you need to be able to use a text editor of some
> kind and make changes to configuration files (that are PHP files
> syntactically, but there is no programming involved for most
> deployments).
With regard to the subject line specifically, you'd need to make sure
there already is integration code that makes Joomla into an IdP --
check the list's archives, there have been plenty of discussions about
SSP and Joomla.
Since being able to use the same credentials in your SSP IdP as used
for logging in to Joomla is probably not the integration you're
looking for (i.e. you're not getting a SSP IdP session automatically
by logging into Joomla), just using the 'sqlauth' module to reuse
Joomla's as an authentication (and later: attribute) source for SSP
will not suffice.
So on a second thought, unless all of this has been done already (by
others) and is properly documented and kept up to date, I guess your
time is better spent with other aspects of your already ambitious
endeavor.
-peter
Stan
I think I could do the install and configuration following the
excellent instructions available for this project.
You identified the the area of most concern to me: How to integrate
with Joomla. I've put a fair amount of work into our Joomla website,
but could change if it made sense.
I have been in touch with Stefano Gargiula and he has an SP solution
for Joomla but not an IdP solution.
Also, I note there appears to be a solution for Dropal which I think
is very similar to Joomla.
Do you know anyone that might be willing to help on this project. I
have some funds available and, of course, would be willing to keep any
advances publicly available. I am trying to address a major literature
access gap and have made significant progress in discussions with
publishers. I would hate for the project to get stalled on purely
technical issues.
On Dec 22, 8:31 am, Peter Schober <sp+lists.simples...@univie.ac.at>
wrote:
Hörbe Rainer
Maybe you could spare the effort and find someone in the eScience-community who will donate an IdP-service to your project, as additional self-registered users usually do not incur more cost, aside SP-configuration and a few CPU-cycles. For users it might also be more beneficial to register in larger federations, with many services available.
Rainer
http://www.linkedin.com/profile?viewProfile=&key=31423729
> --
>
> You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
> To post to this group, send email to simple...@googlegroups.com.
> To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
>
>
Stan Barnett
I'm not sure I understand if this would work or not.
I'll provide a specific example of what I envision our process would be:
A member of our community would register on our site and pay a fee to cover the cost of licensing access to Nature Publishing Group (NPG) Journals. I am currently doing this with Joomla, Community Builder and OSE Joomla Membership Control Manager.
The user would then access a specific journal article of interest to them. They would identify this article using a search engine (i.e. PubMed, ScienceDirect) or directly from the publishers search engine.They would then request authentication using the publishers SP and access.
I'm not sure joining another community or federation that has an existing IdP would work for this purpose as some payment bookkeeping is required.
I really appreciate all the input.
http://www.linkedin.com/pub/stanley-f-barnett/10/797/b56
From: Hörbe Rainer <rai...@hoerbe.at>
To: simple...@googlegroups.com
Sent: Tue, December 22, 2009 9:44:49 AM
Subject: Re: Joomla IdP Implementation
> For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
Hörbe Rainer
Peter Schober
> If payment is bound to transactions, identity is primarily bound to
> the payment, and beyond that only a light-weight id is needed for
> some personalization. Using "free" providers like
> Google/Yahoo/MySapce via SAML or OpenID would be good enough for
> your service.
First I also thought about recommending the out-sourcing of IdP
operations to the many available offerings. But since the OP needs a
IdP for accessing online journals etc. (as well as accessing his own
SP, the Joomla site) any "open" IdP (either "open to all" or "open to
paying customers") will most probably not be able to assert current
membership status with the OPs virtual organization (which certainly
will be required by contract with the publishers).
So I think running an IdP (or at least: having access to an IdP --
virtual or hosted or whatever -- that allows you to maintain
data/attributes about your users) is required in any case.
-peter
Stan Barnett
Yes, I think you understand. Your last sentence is a good summary.
I already have a registration and payment system set up (Joomla, Community Builder and OSE Membership Control Manager). Payment responsibility would be mine, not publishers. We have had much discussion on payment model as this is key to success, but for now full access for payment seems the easiest.
Subject: Re: Joomla IdP Implementation
If I understand you right, you would like to have Web-SSO for your users with you Joomla CMS and the publishers systems, also integrating the payment service in some way (presumably without SSO).
Thanks for your suggestion.
I'm not sure I understand if this would work or not.
I'll provide a specific example of what I envision our process would be:
A member of our community would register on our site and pay a fee to cover the cost of licensing access to Nature Publishing Group (NPG) Journals. I am currently doing this with Joomla, Community Builder and OSE Joomla Membership Control Manager.
The user would then access a specific journal article of interest to them. They would identify this article using a search engine (i.e. PubMed, ScienceDirect) or directly from the publishers search engine.They would then request authentication using the publishers SP and access.
I'm not sure joining another community or federation that has an existing IdP would work for this purpose as some payment bookkeeping is required.
I really appreciate all the input.
http://www.linkedin.com/pub/stanley-f-barnett/10/797/b56
From: Hörbe Rainer <rai...@hoerbe.at>
To: simple...@googlegroups.com
Sent: Tue, December 22, 2009 9:44:49 AM
Subject: Re: Joomla IdP Implementation
Running an IdP for a single service is not very useful, being an IdP for many service requires a decent service level from the point of availability, and trustworthiness in general.
Maybe you could spare the effort and find someone in the eScience-community who will donate an IdP-service to your project, as additional self-registered users usually do not incur more cost, aside SP-configuration and a few CPU-cycles. For users it might also be more beneficial to register in larger federations, with many services available.
Rainer
http://www.linkedin.com/profile?viewProfile=&key=31423729
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.To post to this group, send email to simple...@googlegroups.com.
Stan
Based on my reading, it seems like simpleSAMLphp is probably the
easiest way for me to achieve my goal (please correct me if you
disagree).
And unless I can find someone that will do it for me at a modest
price, I will try to do it myself. I thank this community in advance
for your help.
1) I have managed to install SSP on my shared server.
2) And now following the SimpleSAMLphp Identity Provider QuickStart:
3) I enabled the Identity provider functionality by editing config/
config.php.
'enable.saml20-idp' => true,
'enable.shib13-idp' => true,
4) I have tentatively decided I need to use the sqlauth:SQL
(Authenticate an user against a database) authentication module. My
users are stored in MySql tables (Joomla)
5) The next step appears to be: modify sqlauth.
Help Needed:
a) Before I start modifying sqlauth, it seems like I should plan how I
am going to test the module. I'm guessing this is going to require a
fair amount of trial and error.
b) Are there any instructions or guidance on how to make the
modifications?
Thanks,
--Stan
Peter Schober
> 4) I have tentatively decided I need to use the sqlauth:SQL
> (Authenticate an user against a database) authentication module. My
> users are stored in MySql tables (Joomla)
As pointed out before all this will allow (if it works; this probably
depends on the way Joomla stores passwords in the DB), is make use of
the same username and password people use to log in to your Joomla
site.
They will still need to log in (provide their credentials to two
different HTML form) twice for both applications (the Joomla site and
the SSP IdP) -- there is no SAML or SSO involved here.
*Unless* you also SAML-enable your Joomla instance (as a Service
Provider). Then /all/ logins will go through the SSP IdP (Joomla as
well as online journal providers), where the IdP just happens to use
Joomla's db for authentication.
You should then be able to create and manage all accounts within
Joomla (I would expect).
> 5) The next step appears to be: modify sqlauth.
If Joomla's stores passwords as a hash (sha1 or md5) or uses MySQL's
PASSWORD() function for that, this should be rather simple (probably
no modifications needed at all, but I didn't look at sqlauth's code),
possibly re-using any strings Joomla may have used to "salt" the
hashes.
If Joomla does anything fancy with storing passwords, your best bet
will probably be to use it's authentication API from within SSP's auth
source (if Joomla has such a thing). You'd then probably start with
asking the Joomla community how to authenticate against stored
passwords via PHP.
cheers,
-peter