bryan.kartzman@yu.edu writes:
will do this. The university does use SSO for many applications and I was asked by upper management of the IT department to try and implement it here. I'm still trying to understand your reply to my SSO question from last week (my SSO knowledge is limited and I'll have to read up on Shibboleth, SAML, as well as Django) so for now I'm thinking to not use SSO
If they want to use it, pass the buck to them. I'm happy to help with the Mailman side (on a time-available basis or as a paid consultant -- time available is probably a much better deal, though!) But I can't know what the system in use is, so maybe you should get them to write an outline of the system (what software, what requirements, what ID-related attributes are available).
then transition to SSO later.
I don't think that will be a problem technically, as long as the user ids are the same for the same people. There will be UX issues though in the configuration I use. I think people will accept them quickly, but the UX will be different, which makes folks nervous if you don't warn them and explain why it's OK.
If you have any pointers as to where to read up on SSO, SAML, Shibboleth and also on Django please point me in the right direction.
For django, search "site:djangoproject.com REMOTE_USER". For shibboleth, the relevant documentation is on the atlassian site. Here's the main documentation for the "service provider" component (this is the part that Postorius would be using indirectly): https://shibboleth.atlassian.net/wiki/spaces/SP3/overview search there for "REMOTE_USER" for the most relevant documentation.
The SAML protocol is above our pay grade. :-) There's an introduction to the SAML architecture linked from the service provider documentation. That's way more than you need for this task, I think, so just skim it. Another guy did the Shibboleth config, so I'm a little fuzzy on this, but again I think that's mostly IT/NOC responsibility. (IIRC the main thing was getting the ID provider credentials and our host certs from the NOC, you can't generate those yourself!) The parts that hook into mailman are a list of translations of ID attributes to Apache variables, some email addresses for error reporting, and in Apache some translations of Apache variables to HTTP headers.
But you need to make sure it's SAML. I'm no expert on this stuff, but it seems like there are a bunch of these protocols, like OpenID and OAuth2 out there. Django knows how to do those, too, but we need to know which one!
Steve