Account management questions

Administrators
1

Hi,

I have few questions about accounts management in Indico

I implemented two types of accounts :

  • Local accounts (provisioned by Admin and self-registered)
  • Shibboleth accounts (self-registered after authentication + add email adress)

I wonder if it is possible to use alternatively Shib or local Authentication for a same user
(when id = eppn = email)

The idea is to let Admin do the local provisionning and give rights and groups to users

  • The admin uses the eppn = email as the user id
  • The user logs in by Shibboleth

I saw that there is an option in account management to link a local account to a external SSO account.
But i’m not sure it is the best way to achieve that (i’m aware about consequences).
I’m afraid that user management is a forward process in which actions can’t be undone.

Other question are :

  • is it possible to delete an account ? By the admin or the user itself ?
  • what are the constraints when the account is linked to an event ?
  • is it possible to reverse a merge action between two or more accounts (that links local account to a external SSO account)
  • is it possible to display all the accounts (whithout a search action)

Regards,

Gautier

2

First of all, Indico has two parts related to users:

  • Users/profiles - that’s what you see in Indico when you e.g. search for a user. It’s what gets referenced when a user is added in an event etc.
  • Accounts/identities - a user can have more than one, and they link the user to a local account or a SSO account. It is not related to events at all.

Merging users is an irreversible operation that can only be done by an Indico admin. This never happens automatically but if due to a SSO+local login with different email addresses a person has two Indico users, merging them is recommended.

If you logged in through SSO and use the “create local account” option in your profile settings, it simply adds a username/password pair to your Indico user so you can use this to log in as well. If you have a user with just a local Indico account (username/password) the only way of linking it making sure the email provided by SSO is already added to the indico user, and then simply logging out and using SSO to login again. You will then be prompted to link the SSO login to your existing indico user.

About your other questions:

  • No, users cannot be deleted as they may be linked to many different things.
  • I’m not sure what you mean with “linked to an event” - an indico user is never linked to one event. However, once a user is involved with an event (registered, speaker, created it, in the acl, etc.) there is a reference to that user. This is usually internally, but of course some references will be removed when removing the user e.g. from the event’s ACL.
  • See my explanation above
  • No, we currently do not support listing all users. However, by doing a non-exact search for the email address @ you will get all users. This is also possible on the command line using indico user search --substring --email '@'
3

Hi,

Thank you very much for yor detailed explanation.
My understanding of users and accounts management is more precise, now.

But i still wonder how to login with shibboleth for an existing account.

My personal account has already been created

indico_shib_account.png836×390 14.1 KB

But if i log with sibboleth, i still have to fill in the email form
And Indico anwsers that this adress already exists

indico_shib.png1036×452 30 KB

I might have done something wrong with this account…

I’m also aware about Privacy when you mention that an account cannot be deleted.
Considering accounts as personal data, it could be difficult to comply with the General Data Protection Regulation that will apply in all EU countries in may 2018.

Regards,

Gautier

4

But if i log with sibboleth, i still have to fill in the email form

Is the email address provided by your Shibboleth login already associated with your account? Also, you might want to set the trusted_email flag on the shibboleth identity provider in indico.conf unless your SSO server really doesn’t provide emails known to actually belong to the user.

I’m also aware about Privacy when you mention that an account cannot be deleted.
Considering accounts as personal data, it could be difficult to comply with the General Data Protection Regulation that will apply in all EU countries in may 2018.

We are looking into this as well, and depending on what needs to be done there we may add e.g. an option to anonymize an account (remove all emails). The name can already be changed so the only kind of personal data you cannot remove yourself from your account is the last email address.

5

'trusted_email" flag flag is already set to True.

Yes, it is the principal adress of the user and i cannot add twice the same

indico_shib_pb.png866×384 15.7 KB

But if i start from blank, the process is efficient

  • Shibboleth login
  • Add email (event whith ‘trusted mail’ set to true)
  • Approve by the admin
  • Account created (external, not local)

indico_shib_pb.png838×335 14.1 KB

I think i made a mess between local and SSO accounts !

I also have many problems with some of my IDP (11 IDP in one federation)

The loggin process fails :

Identifier missing in shibboleth response

In theses cases, the eppn is not sent by the IDP, but it is weird. I’ll look forward.

Is there any cache on the indico.conf ?

Cause i can’t change the config !

IDENTITY_PROVIDERS = {
    'shib-sso': {
        'type': 'shibboleth',
        'title': 'Fédération Campus Condorcet',
        'identifier_field': 'eppn',
         'moderated' : True,
        'mapping': {
            #'affiliation': 'supannEtablissement',
            'first_name': 'givenName',
            'last_name': 'sn',
            'email': 'email',
            #'phone': 'ADFS_PHONENUMBER'
        },
        'trusted_email': True
        }
}

Even after a reboot, the SSO button is still named “SSO”
I should be named “Fédération Campus Condorcet”
Whereas the moderation option is taken into account.

Thank you for your answer about privacy concerns. Do the best !

6

Ok,

I reinstalled a fresh database.

I think that you can’t log in on shibooleth when the local account has already been created.

In this order, it is possible :

  1. log and create the account with Shib
  2. create a local account
  3. log with the local account

regards,

Gautier