[Koha] Koha as an identity provider
Coehoorn, Joel
jcoehoorn at york.edu
Thu Oct 19 03:03:56 NZDT 2023
> "we also give koha login credentials to them, ... share the username
and password
fields for other external services."
Done properly, services like Koha **do not store any actual passwords**.
They only store salted and hashed mutations of the original passwords. When
you try to log in, the service will then make the same adjustments to the
attempted password and compare the hashes, rather than the passwords. This
protects users; in the event of a data breach, you haven't also given up
credential information that may be shared with other sites, and when the
service is restored users can still initially login to protected accounts.
This is standard practice for ANYTHING handling credential information. If
you find a product storing bare passwords, that's enough of a reason on its
own to pick a different product.
Therefore it's not enough for other services to know where to look in koha
to find your credential information. They also need to know the salt used
for each user, the hashing algorithm used, and the tuning level from the
algorithm, in order to replicate the password hashing process. This
information is typically *not shared*. Instead, single sign-on (SSO)
services implement well-defined protocols like Shibboleth, SAML, or OAuth,
so the destination service provider (aka relying party) can redirect to the
identity provider's login page for credential validation, and then once
logged redirect back with an authentication token.
Koha does not directly implement the protocols needed to be an identity
provider. It doesn't even directly implement the protocols to be a service
provider/relying party. Those of us who use that feature need to install
and configure a separate SimpleSAMLPhP Shibboleth package in Apache. You
*might* be able to get that package to also act as an IdP, but I doubt it.
I've setup more than a dozen other service providers to use our AD FS IdP,
and Koha was by far the hardest to get working, and even then this is only
possible when the other applications have support for this built into the
product.
*Joel Coehoorn*
Director of Information Technology
*York University*
Office: 402-363-5603 | jcoehoorn at york.edu | york.edu
On Wed, Oct 18, 2023 at 12:14 AM Rupinder Singh <jessedhammu at gmail.com>
wrote:
> Hi,
> I am thinking I can use koha as an identity provider for other Librayr
> services like repository and off-campus remote access, etc.
> Because, In koha, we usually already have complete details of our patrons,
> and we also give koha login credentials to them, I was thinking if we use
> the borrower table from the database, and share the username and password
> fields for other external services.
> just a thought, please give your views on this possibility.
>
> Thank you
> Rupinder Singh
> _______________________________________________
>
> Koha mailing list http://koha-community.org
> Koha at lists.katipo.co.nz
> Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
>
More information about the Koha
mailing list