When setting up VCL affiliations to use Shibboleth authentication, the conf.php
file instructs an admin to set the affiliationid value to zero. For example:
$authMechs = array(
...
"My Shib Affiliation" => array(
"type" => "redirect",
"URL" => "...",
"affiliationid" => 0),
);
Even though, for instance, the corresponding `vcl.affiliation.id` value in the
database is some positive integer.
In looking through the code, it seems that the only purpose this serves is to
block access to the XMLRPC interface: in the utils.php:checkAccess() function
(lines 360-365), the loop that compares the $user['affiliationid'] with
$authmech['affiliationid'] will never find a match, and so the request is
aborted at that point.
My interest, however, is precisely to provide access to the XMLRPC interface
*on behalf* of shibboleth users. The key point here is *on behalf of*, since
neither the VCL nor the application using the remote API knows anything about a
user's actual password. The use case is a Moodle block that makes use of this
remote API.
Using version 2.3, and with minimal modification to utils.php, I am able to
allow an admin to define a "proxy authentication handler" in conf.php, limiting
access only to certain "trusted" servers and requiring a particular
authentication token. This structure, however, depends on configuring
$authMechs with the proper "affiliationid" value.
My question, though, is whether setting a "correct" affiliationid in conf.php
has implications that I haven't considered.
Thanks,
Aaron
--
Aaron Coburn
Systems Administrator and Programmer
Academic Technology Services, Amherst College
[email protected]<mailto:[email protected]>
