About Indico Using Shibboleth to manage rights of external groups

Now that we have completed SSO authentication using Shibboleth, we need to implement permission management for the external group so that we can view the corresponding meeting. Unfortunately, we didn’t find out where to change the code.

You need to connect Indico e.g. to your LDAP server to use external groups.

Can’t you use shibboleth group relationships to manage external group permissions? Can LDAP be used to manage group permissions after shibboleth SSO authentication is completed?

No, because Indico expects real-time access to group info (ie NOT just during login).

You’d usually set things up so shibboleth provides the unique user name and then the details are looked up on LDAP. We’re explaining how to do that in Authentication — Indico 3.1 documentation - adapting it to Shibboleth instead of native SAML wouldn’t be too hard (in fact we did that in the past before switching to oauth).

Sorry, I don’t understand that question… did you check the parts on LDAP in our documentation?

Excuse me. In version 1.2, we according to LdapAuthentication.py imitation wrote ShibbolethAuthentication.py so as to realize the external group permissions management. However, in version 3.1, Indico used flask-Multipass and it was not clear how to implement external group management. You said before that we can use Ldap to manage external groups. Do you have specific configuration methods or documents?

I don’t have an example config (since it’s been a LONG time that we used this setup), but some pointers that should help you setting it up:

  • use shibboleth (or saml) as the AUTH_PROVIDERS
  • configure ldap in IDENTITY_PROVIDERS
  • use PROVIDER_MAP to connect the two so the ldap identity provider receives the user’s unique identifier (note that you MUST get an identifier known in ldap from shibboleth; anonymous/pseudonymous identifiers will NOT work).

for the general shibboleth/saml/ldap config you can find info on Authentication — Indico 3.1 documentation - near the bottom there’s also an example for the PROVIDER_MAP