The TG-auth* system consists of two main components:
- openRBAC, a system to maintain, modify, and enforce authorization policies using the Role-Based Access Control framework. See http://www.openrbac.de/, however, the basic software has been heavily customized for use with TextGrid.
- WebAuthN, a system offering authentication functionalities, both direct using a community-managed user directory and the Shibboleth-based DFN-AAI. WebAuthN is embedded in TextGridLab offering a Login Screen and registers the user in RBAC.
There are some minor components interacting with tg-auth* (now obsolete since the TextGrid and DARIAH Accounts has been merged, please use the DARIAH Self Service Portal):
- PWchange, a Web application allowing for setting a new password in case the user knows their old one
- PWreset, a Web application that lets users set a new password in case they forgot their old one
- Implementation: PHP, consisting of
- openRBAC core: RBAC implementation backed up by an LDAP directory, e.g. openLDAP
- openRBAC Web Service layer: for accessing openRBAC functions via SOAP
- tgextra (also a SOAP Web Service): additional functions implemented for TextGrid needs, either aggregating basic RBAC functions or introducing unrelated functions that leverage the underlying LDAP server as storage
- Storage: an OpenLDAP server
- two additional schemas: for RBAC core and for TextGrid-specific attributes
- ou=people for users
- ou=roles for the roles users can activate. TextGrid projects are treated like roles, with sub-roles for the actual roles visible in the TextGridLab. e.g. Administrator or Editor
- ou=resources for the TextGridObjects and their role-right assignments
- ou=sessions for the Session IDs that users have in the TextGridLab and the roles they activated in their sessions
- Implementation: PHP
- Dual Login on the first page:
- direct authentication in the community LDAP server or via
- Shibboleth Login with DFN-AAI-Basic
- Both Login methods populate the Server variable $REMOTE_USER
- Dual Login on the first page:
- In Login Mode, the following happens:
- registration of a user session with activation of all available roles in RBAC
- exposure of the newly assigned Session ID for use in further activities with the TextGridLab and the TG-Utilities
- In User Details mode (no authentication, just see and modify user’s attributes), only 3. happens.
- One WebAuthN installation with one community LDAP server can interact with multiple RBAC instances.
- HTTP GET or POST arguments for TextGrid-WebAuth.php:
- authZinstance – string identifying the RBAC instance to be used. Always needed.
- loginname and password – for authentication at community LDAP. Only in Login mode and with HTTP POST.
- Sid – Session ID known from some earlier authentication. Necessary for User Details mode.
- ePPN - User ID of the user. Necessary in User Details mode.
- TextGrid-WebAuth.php is being called from WebAuthN2.php, which presents both the community login form and the Shibboleth Login Button.
- For Shibboleth login, the Shibboleth Service Provider (Apache module) guarantees the provision of a correct User ID delivered from some home organisation.
- PHP Web application
- Authenticates and changes passwords against an LDAP direcory (community LDAP server)
- Source currently not in SVN, but available upon request
- Perl Web application
- sends out links for verification of the user’s email adress
- Current development is in GIT repository of GWDG Chili, https://projects.gwdg.de/projects/tg-auth
OpenRBAC SOAP WSDL locations on the productive TextGridRep TG-auth* server:
- Most relevant for Lab/User interaction: https://textgridlab.org/1.0/tgauth/wsdl/tgextra.wsdl >> Documentation of TGextra WSDL Methods
- Relevant for Server access: https://textgridlab.org/1.0/tgauth/wsdl/tgextra-crud.wsdl >> Documentation of TGextra-crud Methods
- Administrative functions: