Shibboleth user registration

gauburtin · January 18, 2017, 11:15am

Hi all,

We have a potential issue regarding user registration via shibboleth.
Any shibboleth user can ask for a registration even when the following variables are set in seahub_settings.py

# Enalbe or disalbe registration on web. Default is `False`.
ENABLE_SIGNUP = False

# Registration
ACTIVATE_AFTER_REGISTRATION = False

# Shibboleth activation
SHIB_ACTIVATE_AFTER_CREATION = False

As we dont’t want all the Shibboleth federation users to ask for a regsitration on seafile, we’d like a new option

# Prevent shibboleth users to ask for registration    
SHIB_ENABLE_SIGNUP = False

Is it possible and easy to implement ? This issue is quite urgent.

Regards,

Gautier

daniel.pan · January 18, 2017, 11:56am

Hi Gauburtin,

I don’t understand what you mean by SHIB_ENABLE_SIGNUP. If Shibboleth users can’t ask for registration, how can a new user be added to your system?

gauburtin · January 18, 2017, 12:33pm

We use to create user account directly from the Web Admin UI. For the future, we will open registration to all shibboleth federation users.

daniel.pan · January 19, 2017, 9:04am

Currently, if you add user in Admin UI with a password, user can login both via both local login and Shibboleth. Is it right?

gauburtin · January 19, 2017, 10:58am

You’re right, but with shibboleth login activated, any member of the Shibboleth Federation (that is,100 K users…) can ask of registration while attempting to log via shibboleth, even if he has not be previously added to the Seafile users. Seafile then sends him a message indicating that there is a pending registration validation, and the administrator also receives a registration request. As we don’t plan ffor the moment) to manage user registration with this process, we’d like to prevent Shibboleth users to log as far as the user account is not created in Seafile.

Regards

daniel.pan · January 21, 2017, 2:49am

I suggest we summary the feature requests by email. For features specific to your usage case, I think it is better to be a custom development work.

scheff · January 23, 2017, 9:48am

Hi,

why not allowing Seafile to automatically create all accounts authenticated by Shibboleth and restricting the access with a group membership?

# ---------------------------------------------
# Authentication
# ---------------------------------------------
AuthMerging And
AuthType shibboleth
ShibRequestSetting requireSession 1
<RequireAll>
    require shib-session
    # ---------------------------------------------
    # Restriction based on the affiliation attribute
    # ---------------------------------------------
    <RequireAny>
       require shib-attr affiliation employee@...
       require shib-attr affiliation staff@...
   </RequireAny>
   # ---------------------------------------------
   # Restriction based on the group attribute
   # ---------------------------------------------
   <RequireAny>
       require shib-attr group institute1
       require shib-attr group workgroup2
   </RequireAny>
</RequireAll>

In this way nothing has to be implemented in Seafile.
Best regards

Thomas

gauburtin · January 23, 2017, 9:54am

Hi, This is a good option, but our main concern is about account creation itself, that we don’t want to be automatic.
I’ll keep i touch with Daniel for that, considering that it is quite specific (but not so specific, i think).
Regards

scheff · January 23, 2017, 9:58am

Hi,
I’m curious: what could go wrong during the automatic creation of an account that you might prevent when creating it manually? The necessary checks could be done when an account is assigned to a group or affiliation.

Best regards

Thomas

gauburtin · January 25, 2017, 12:17pm

Only the facts that:

a lot of potential users can ask for registration and that the result is, for all, no anwser from the admin (it not polite for potential users)
the admin receives a lot of useless emails
Regards

scheff · January 25, 2017, 2:46pm

Hi,

if you fear useless requests for registrations, why enforcing registration at all?

Let Shibboleth restrict access to your Seafile server by affiliations or a group membership as the first line of defence.

As an additional measure I would remove any right from the default role and assign special roles based on affiliations. In this way you don’t have to care about these additional accounts, because the can’t do anything except log into your server (and can easily removed altogether if you want).

Best regards

Thomas

gauburtin · January 26, 2017, 1:05pm

Hi @scheff,
Registrayion is OFF on Seafile config files, but works through Shibboleth.

Thank you for the details, i understand the problematic.

regards

Gautier