Separate authentication from user profile retrieval

[damien-git]

I am trying to resolve a particular issue with authentication: we need to give users a choice of 2 authentications: FOLIO or SAML. I started implementing a custom driver for SAML using simplesamlphp, but for the purpose of this issue, we can just assume it is Shibboleth. When users authenticate with FOLIO, they provide a username and password. When they authenticate with SAML, we are only getting the username back from the IdP and want to get all the other user profile information from FOLIO. When a user is authenticated, no matter the method, we want to use a special FOLIO user with permissions to retrieve user-related information like firstname or checked out items.

I have tried using ChoiceAuth, and set Folio.ini with okapi_login = true. This works for users authenticating with FOLIO, but users authenticating with SAML are being prompted for their catalog username and password. How could I make this work in Vufind ? There is only one Folio.ini, so I can't use a different value of okapi_login for each method, and also it looks like authentication, user profile retrieval and user catalog information (like checked out items and fines) are all tied...

[demiankatz]

@damien-git, the intended design here is that all authentication methods need to correctly populate the cat_username and cat_password fields in the user table of the database. These are the credentials used to obtain data from the ILS. As long as your authentication populates these fields with values that will work with the ILS driver, everything should work seamlessly regardless of authentication method chosen. Does that help, or is there a reason that you cannot populate the fields consistently in your different authentication scenarios?

Based on your description, it sounds to me like you may want to set okapi_login to false in Folio.ini to make it easier to populate appropriate attributes. See also current work in progress on #2570 for a new feature that will make things more secure if you wish to use weaker credentials in the cat_username / cat_password fields to simplify the integration.

[damien-git]

I got it to work eventually, I had some bugs. I still wonder if I can safely use "$driverManager->get('Folio')" to create the Folio driver in the custom Folio auth constructor. Would there be a risk that the custom config overrides the general one ? My initialization looks like this:

        $this->driver = $driverManager->get('Folio');
        $config = $configReader->get('Folio');
        $driverConfig = is_object($config) ? $config->toArray() : [];
        $driverConfig['User']['okapi_login'] = true;
        $this->driver->setConfig($driverConfig);
        $this->driver->init();

[demiankatz]

@damien-git, it would probably be a good idea to clone the driver after fetching it from the driverManager, to ensure that you have a distinct instance from the one that will be used in other contexts.

[damien-git]

I was trying to call the constructor directly, but that's made more complicated by the various traits that need to be initialized. How do you clone this driver object ?

[demiankatz]

@damien-git, you can just use the PHP clone operator: $this->driver = clone $driverManager->get('Folio');

[damien-git]

Thanks, I'm going to use that.