Disable just in time provisioning for CAS auth
24 views
Skip to first unread message
Genetha Smith
Aug 11, 2022, 2:38:42 PM8/11/22
to archivematica
We have deployed CAS authentication with Archivematica but authentication is exceeding expectations by creating or auto-provisioning AM accounts for anyone who passes authentication. We only want authorization to succeed if the user already has an Archivematica account.
- How do we disable just in time provisioning to restrict authorization to pre-existing Archivematica users?
- Is this a 'feature' or is there a way to configure the application to reject users if they do not already exist in the local database?
- How do we disable just in time provisioning to restrict authorization to pre-existing Archivematica users?
- Is this a 'feature' or is there a way to configure the application to reject users if they do not already exist in the local database?
Tessa Walsh
Aug 15, 2022, 10:08:21 AM8/15/22
to archivematica
Hi Genetha,
You're correct that Archivematica will create a user account for anyone who authenticates successfully against the CAS server as a "feature". The clients I know about who use CAS restrict access to Archivematica on the CAS server side, e.g. through group membership, and only redirect users back to Archivematica after successfully authenticating on the CAS server if the CAS server recognizes them as having privileges to Archivematica. Not having managed a CAS server myself, I'm not sure how much more detailed I can get than that, but I hope it helps!
Tessa
Genetha Smith
Aug 22, 2022, 11:36:21 AM8/22/22
to archivematica
Thanks for the reply Tessa.
All the other applications we've configured with SSO rely on CAS (or SAML2) for authentication only. Authorization is handled by the application.
Anyone know which file(s) can be customized or extended to first check to see if the authenticated user exists in the MySQL database before logging them in to AM?
Tessa Walsh
Aug 22, 2022, 12:00:16 PM8/22/22
to archivematica
Hi Genetha,
The Storage Service's CAS integration uses django-cas-ng under the hood (https://djangocas.dev/docs/latest/configuration.html#cas-create-user-optional). You probably want to set django-cas-ng's CAS_CREATE_USER setting to False. You'll want to do that in the CAS auth portion of the Storage Service's settings file: https://github.com/artefactual/archivematica-storage-service/blob/ab64d17f8220428091699870f6a14ac8dc45136b/storage_service/storage_service/settings/base.py#L492-L553.
Hope that helps!
Genetha Smith
Aug 22, 2022, 5:04:38 PM8/22/22
to archivematica
That did the trick! I missed that setting when wading through all the documentation.
Thanks, Tessa!
Reply all
Reply to author
Forward
0 new messages