4. WebApollo Single Sign On¶
4.1. What is WebApollo SSO?¶
The basic idea in SSO is to provide handy user interface and make WebApollo user more like a community. In order to accomplish those ideas, we try to transfer management jobs from WebApollo to SSO. SSO gives the coordinators more authority to manage their members who can annotating and grant the priviledges on their own.
In SSO, we seperate users into three different roles.
- First, the
ADMIN
who actually owns ‘admin priviledge’ in WebApollo, can manage users/groups/eroll event. - Second, the
COORDINATOR
who belong to groupGROUP_(Organism_short_name(OSN))_ADMIN
, can manage membership in specific (Organism). - Last, the remaining users are in
USER
. They can make request to join (or leave) different organism team. Once be recuited in, user will pertain to groupGROUP_(OSN)_USER
.
SSO make a virtual role COORDINATOR
by exploiting a conventional group name GROUP_(OSN)_ADMIN
and the user in the team
would be in group GROUP_(OSN)_USER
.
Role\ | WebApollo | Single Sign On (SSO) |
ADMIN | Global Admin | Global Admin |
COORDINATOR | Admin permission | in GROUP_()_ADMIN |
USER | RWE permission | in GROUP_()_USER with RWE permission |
Note
Mapping between full organism name and short organism name are stored in django-blast app. Full organism name is the real name in WebApollo and short name is a abbreviation used in django-blast app.
4.2. Framework Overview¶
SSO was implemented in Django and JQuery. Conceptually, SSO is a proxy service for delegating user request to appropriate WebApollo service. The main advantage here is that SSO could provides more social utilities for the I5K community.
Database Schema (UserMapping)
Apollo_user_id | Apollo_user_name | Apollo_user_pwd | django_user | last_date |
1 | Chris | (AES encrpted pwd) | Christopher | |
2 | Monica | (AES encrpted pwd) | Monica | |
3 | Mei | (AES encrpted pwd) | NULL |
SSO records the mapping between Apollo_user and django_user in table UserMapping
.
Apollo_user_id
and django_user
are unique attribute and this makes mapping a one to one relationship.
(apollo_user_name could be changed and is not unique)
In above table, record 1 and 2 tell a formal relationship but record 3 describes an Apollo user doesn’t belong to any django user. User can claim it by re-register process. (mentioned below)
4.3. Configuration¶
SSO uses a pre-assigned admin Apollo account to communiate with Apollo server. The account must be create on apollo server first. Two URLs address of i5k server and apollo server are used to identify each others’ locations. In order to secure user password, SSO encrpt it before saving password into database.
WebApollo SSO configuration in django setting.py:
# WebApollo SSO robot account
ROBOT_ID='R2D2'
ROBOT_PWD='demo'
#URL of i5k workspace and webapollo
I5K_URL='http://i5k.nal.gov'
APOLLO_URL='http://i5k.apollo.nal.gov/apollo'
# cookie can be seen in Apollo-prod and Gmod-prod
APOLLO_COOKIE_DOMAIN=".nal.usda.gov"
#Encypt webapollo user password in SSO database.
#AES key must be either 16, 24, or 32 bytes long.
SSO_CIPHER='1234567890123456'
4.4. Register WebApollo¶
There are three ways to make connection between i5k account to apollo account.
When registering an new i5k account, SSO also create an apollo account(same ID).
When entering SSO, if SSO doesn’t have mapping record of user,
- it asks user to create a new apollo account
- or register his account info into SSO.
When entering SSO, if SSO has mapping record of user but login failed, it asks user to re-enter his password into SSO.
4.5. Utilities¶
There are six individual tab pages, three of them are general and others are specific for Admin user.
4.5.1. Utilities only for Admin¶
Tab\ | Function Descriptions |
User(Admin) | View/Create/Delete/Update/Disconnect Apollo User |
Group(Admin) | View/Create/Delete Apollo Group |
PReq(Admin) | View Pending request |
4.5.2. General Utilities¶
Tab\ | Function Descriptions |
My Organism | Manage organism which you joined in / Go WebApollo |
My Request | Make request to join/leave a organism community |
My Info | User basic information |