Home Ben's Blog Glow(Shibboleth) and Joomla
Jul 16
2009

Glow(Shibboleth) and Joomla

Posted by: ben

Tagged in: Untagged 

I am currently wrestling with the problem of how to authenticate users in the Joomla CMS through Glow. Glow acts as a Shibboleth Identity Provider which the Joomla site should trust to authenticate its users. Joomla has a nice open extendible authentication mechanism and Sibboleth has a nice open interface, so this should be easy right? Er well no, and that probably explains why there isnt a nice Joomla plugin ready for me to download from the extension site.

There are two fundamental differences in philosophy between the two systems:

  1. Joomla expects to collect authentication details from a user and pass them to an external authenticator, whereas Shibboleth expects the application to pass control to it whilst it authenticates a user (including collecting username and password) before passing control back to the web application. So, how to avoid showing a username and password input box unnecessarily? Well, you need to override the Joomla User component in the template. This is one level better than hacking the Joomla core, but is still far from ideal.
  2. Joomla requires all users to have unique email addresses (this is new in Joomla 1.5) and whilst this seems a perfectly reasonable thing to require, integration with external authenticators shows this to be naive. It wouldn't be a problem, I guess, if we were only interested in authentication, but if we want to automatically create Joomla user accounts  for the users that are authenticated through Glow, then it is a problem. We want to do this to allow users to personalise their settings, but Glow doesnt release email addresses. So, do I have to hack Joomla to bypass the unique email requirement, or do I force Glow users to input an email address which they may not be happy to do? Neither is good.

So, what compromises should I make and how best can we package up these changes for use by other Joomla - Shibboleth systems?

Maybe I'll leave this till next week and see if a more elegant solution presents itself.

 

Trackback(0)
Comments (1)add
0
checkout my saml2 extension for joomla
written by Stefano , April 15, 2010
i wrote an extension to make this possible: the concept is introducing a custom login module (that will be a discovery service or a simple button depending on the number of IdPs of your federation) and use it instead of the standard joomla login box, the extension is using simpleSAMLphp as SAML2 backend (all is embedded into the extension and i tested it with Shibboleth2 IdP with no problems)
report abuse
vote down
vote up
Votes: +1
Write comment

busy