[Koha] Single Sign-On via Drupal

[Katrin Fischer]

Hi Michael,

1) Auto-create is not possible with CAS at the moment. I think LDAP, 
Shibboleth and OpenID are the only ones so far.

3) What do you mean by access levels? Permissions for staff users? Or 
just patron categories?

4) Passwords are not mandatory. If you never set it, there will be no 
password. No need to create a hard to guess one. It might be possible to 
hide it from the form in staff, but I haven't tested it. For the OPAC 
there is |OpacPasswordChange that you can use to hide the change 
password feature.|

|Hope that helps,|

|Katrin|


On 30.05.2018 14:19, Michael Kuhn wrote:

> Hi
>
> The KDZ Zentrum für Verwaltungsforschung in Vienna (Austria) is trying 
> to connect Koha to the user database of a Drupal 7 instance via CAS. 
> The goal would be to have a Single Sign-On / SSO solution with the 
> user database of Drupal. No Koha-only user accounts would be required.
>
> At the moment we are using the CAS module of Drupal, which provides a 
> CAS server, and have connected it with the CAS authentication plugin 
> of Koha. Authentication and login works, however only if users are 
> already existing in Koha. The problem is: users are not automatically 
> created in Koha, so the actual solution does not work without manually 
> creating the user in Koha first. Thus, for the solution to properly 
> work we'd need to find a way to auto-create the user accounts in Koha.
>
> 1. We've noted that the Shibboleth plugin has some auto-create option, 
> that the CAS plugin seems to miss. Is there a way to have 
> auto-creation work via CAS also?
>
> 2. Instead of the auto-create option, we've been thinking about some 
> automated cron job that imports users in CAS on a regular basis based 
> upon some CSV export provided by Drupal. A delay of a few hours until 
> user accounts are created would be acceptable. Bug 12598 
> (https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=12598) 
> mentions that Koha 18.05 comes with CLI support for the user import 
> tool ("import_patrons.pl"), so we have been considering using that for 
> repetitive user imports. For that purpose, we could easily provide a 
> CSV file in the desired format with Drupal. Does that seem like a 
> doable approach?
>
> 3. Besides creating users with the correct user name, we'd have to map 
> access levels to Koha as well. Would that be doable with the CSV import?
>
> 4. Setting a password on users in Koha is not necessary, as login 
> should happen via the CAS interface. Is there a way to disable the 
> password? Else we'd consider to just set an impossible-to-guess 
> password for the accounts, so login would only work via Drupal.
>
> Has anybody done something like this before? Any hints or ideas would 
> be highly appreciated!
>
> Best wishes: Michael