(Under construction)
Background and Motivation
Currently users may use multiple external authentication modules (webaccess/ExternalAuth) for logging in to Invenio if all the modules provide the same email address for Invenio. However, some users may have an account in multiple institutes that supports different user authentication technologies and most of all, provide different user attributes like email addresses. So, from Invenio's point of view, John Doe authenticated by CERN will be different user from John Doe / SLAC, even though the both accounts were owned by the same person.
The users should have the possibility to use multiple external authentication modules for having access to their
single Invenio user account. This would also make the support of novel identity management technologies like OpenID and certain SAML profiles (e.g. persistent identifiers) easier in the future if/when they are considered useful.
New use case
John Doe has an account at both CERN and SLAC. He has been using Invenio with CERN SSO, but now he'd like to use SLAC authentication for the first time.
From the login page, he can click the "SLAC account login" to be authenticated by SLAC systems. After successful authentication, Invenio notices that he is a new user. Instead of registering the new user, user can also choose to link the new account to an existing one. This can be achieved by prompting user to click a login link to an authentication method he has been using so far (CERN SSO in this case). After successful authentication to CERN, Invenio can link the SLAC method for the same user, as he was able to login to both of them.
In his next session, John Doe can select both CERN and SLAC logins to obtain access to the same Invenio account.
Required modifications
(Incomplete) list of required modifications:
user table in the database
At the moment, Invenio's user database table consists of the following fields:
- id (auto-incremented primary key)
- email (key)
- password
- note
- settings
- nickname (key)
- last_login
There should be a one-to-many (user -> identifiers) field for multiple "login identifiers", possibly consisting of information like
johndoe/slac-webauth. In this case the first part would refer to the REMOTE_USER variable set by the Apache mod_webauth protecting SLAC login location.
Other example could be
johndoe/cern-sso (HTTP_ADFS_LOGIN Apache environment variable set by Shibboleth at CERN).
ExternalAuth modules
TODO
Account linking functionality
The page(s) for linking the new authentication method to an existing account.
Account delinking functionality
Users should be able to manage (delete) their account linkings in e.g. "Your settings" page.