bryan.kartzman@yu.edu writes:
It seems Microsoft Azure uses SAML2 authentication. When you say "(what software, what requirements, what ID-related attributes are available)" -- they just
Nobody ever stops at "just". ;-)
want them to authenticate to the mailman listserve using AZURE. What attributes besides username would have to be passed to Mailman?
The only attribute *needed for authentication* is username. But users are unlikely to be satisfied, and the straightforward implementation that I'm using has a number of implications that happen to work for my client, but I'm pretty sure would not be satisfactory in some other environments.
Users in my environment expect their profiles (display name, time zone) to be populated. (I haven't figured out how to do the latter, but it's a company with overseas offices, "that's the server's time zone" is acceptable.) Lack of first name, last name was considered a showstopper, though. In your environment there may be other attributes you'd like to add, but I think in stock Mailman 3 those (plus email, see point #2) those are all the attributes you would like to populate from the ID provider.
Owners and moderaters *need* their emails in the profile to be linked to their existing lists migrated from an existing Mailman 2 site (and maybe to future lists they admin, I haven't checked in detail). But confirming an email address is an annoyance you'd probably like to avoid.
The REMOTE_USER approach we use authenticates on every request, before the login screen is invoked. This means that superusers known to the network can't have a separate account; you need to give their personal users superuser privilege. This doesn't matter in my environment; the lists are used mostly for customer service, the admins with superuser normally don't interact with lists, so this actually increases accountability. (I don't think there's a "sudo" or "drop privileges" feature in Django.) This wouldn't be desirable in my university environment, as many of the superusers are faculty members who teach classes and supervise lists for their classes.
So, yeah, all you *need* is the username, but I'm willing to bet you will be askeed to deal with some of those other issues.
And again, the only SAML Service Provider I know how to configure is Shibboleth.
Steve