Sharing Auth

[zm]

I'm trying to determine the best approach to an issue, and would appreciate feedback.

In an enterprise environment with multiple web2py applications, we need a way to manage users / groups.  We utilize AD for authentication, and in operating in Python2.7 we are able to use AD and retrieve AD groups.  We are running into issues with Python3 in the same setup, and would prefer to have a single web2py instance handle authentication and group membership for all web2py applications to avoid code / resource duplication.

I am envisioning three potential solutions and all seem ugly, so I hope I am just missing something obvious.

1 - Create a single web2py app and use as a CAS provider.  The issue is that CAS doesn't share group membership, so we would need to develop a mechanism to load an extra field in auth_user with groups the user is a member of, then update those groups in the consumer, and after login, populate the consumer's auth_group and auth_memberships.  This is cumbersome, and would result in auth tables spread across several databases, which has a smell.

2 - Have all web2py applications handle auth on their own.  The issue is that the code around auth (the login page view, settings, etc) will end up being shared a bunch, and like the first solution, auth tables are spread all over.

3 - Use a shared auth database.  This solves the issue of auth tables spread across tons of databases from 1 and 2.  If we use CAS to point to a single web2py CAS provider, will we run into any issues with a shared database?  This might be the ideal solution, but it seems likley to have small random bugs related to sharing an auth database.

[Anthony]

I think #3 should work -- see https://groups.google.com/d/msg/web2py/x0xCBAkLWzk/rtpysPZCcE0J.

[zm]

In a test environment, I've setup the following:

1 - Domain Controller Running AD

2 - Web2Py CAS Provider

3 - Web2Py CAS Consumer

- The provider (#2) is able to get groups from #1, and updates them automatically.  

- The consumer (3) is using the provider (2) as a CAS provider.  This works fine.

- The consumer (3) and the provider (2) are sharing an authdb, which I had hoped would give the consumer access to the groups of the provider.

The issue is that when a user logs into the consumer, the consumer adds a new user into auth_user, so every user has two auth_user records.  The first record from the provider is assocaited with groups, while the second is not, as it is coming from the consumer, and has no idea what groups the provider knows about. 

With all that said, I'm hoping there is still a solution.  At a high level, I need to support the following:

- Authenticate via AD (already done)

- Get groups from AD (already done)

- Get groups to all consumers (possible if we skip the provider and just have the consumer connect to AD, but that breaks other functionality)

- Single sign on to web2py apps (works, but breaks groups as web2py cas doesn't transfer group membership)

The last two items are really the sticking point, I need single sign on and groups.  In reviewing the underlying code for cas_auth.py, I see that it doesn't support passing member_of, which cas2.0 appears to support.  Even if it did support group membership, applying those changes to auth, would be a fairly major change.  Any thoughts on ways to get around these limits?

[Anthony]

You would either share an auth database or use CAS, not both.

[zm]

Without CAS, it doesn't seem to be possible to share a single sign on, unless sharing the session via masterapp, correct?  

It looks like when CAS was added there was some talk of transferring group membership.