Actions

Proposals/Done/Moving between SSO institutions

From Mahara Wiki

< Proposals‎ | Done
Revision as of 11:40, 26 May 2011 by Hughdavenport (talk | contribs) (cleanup, add summary,)
ToDo

This will show a workflow of how you would move users between different institutions with SSO capabilities.

There are four different types of moves.

  • Simple -> Simple
  • Simple -> SSO
  • SSO -> Simple
  • SSO -> SSO

There is also the case when a user wants to be part of two or more institutions that use SSO.

Inbetween each transition, we have a parking institution, which is described below.

An extra option will be added to the Institution->Members screen, where new institution admins can transfer users from parked institutions.

Work flows

Simple -> Simple

This is moving users from an internal auth method to another institution that uses internal auth.

The workflow would be as follows:

  1. Original Institute admin sends student to a parking inst using internal auth
  2. credentials don't change
  3. 2nd institute provider uses the Institutions->Members screen to move students from parking to their institution
  4. auth will be the same as the internal auth already set

There could also be a CSV file workflow with the following fields

username, parkedinstitution

which will take username out of parkedinst

A CSV file with only username field can take users out of institution and put them in their parking institution.


Simple -> SSO

This is moving users from an internal auth method to an institution that uses SSO.

This would happen if a student enrols in a school that uses SSO, and they already had a portfolio they want to keep.

The workflow for this would be as follows:

  1. Original Institute admin sends student to a parking inst using internal auth
  2. credentials don't change
  3. 2nd SSO provider uses the Institutions->Members screen to move students from parking to their institution
  4. Mahara will change auth from internal auth to 2nd SSO
  5. * If 2nd SSO has a different username on remote side, they will need to update the user's remote username on mahara


This workflow could also include a CSV file upload with the following contents

username, parkedinstitution, remoteusername (this field is optional, defaults to username)

This will take the user from the parked institution, and change their remoteusername if supplied.

A CSV file with only username field can take users out of institution and put them in their parking institution.

SSO -> Simple

This is moving users from an institution that uses SSO to a simple internal auth method.

This would happen when a student leaves a school for example. They would still want to keep their portfolio

The workflow for this would be as follows:

  1. Original SSO Provider sends student to a parking inst with internal auth
  2. Mahara generates a password for that student that gets emailed to them, changed on first login.
  3. 2nd institute provider uses the Institutions->Members screen to move students from parking to their institution
  4. auth will be the same as the internal auth already set in step 2

There could also be a CSV file workflow with the following fields

username, parkedinstitution

which will take username out of parkedinstitution

A CSV file with only username field can take users out of institution and put them in their parking institution.

SSO -> SSO

This is moving users from one institution that uses SSO to another institution that uses SSO.

This would happen when a student leaves one school and enrols in another. They want their portfolio to follow them.

The workflow for this would be as follows

  1. Original SSO Provider sends student to a parking institution with internal auth
  2. Mahara generates a password for that student that gets emailed to them, changed on first login.
  3. 2nd SSO provider uses the Institutions->Members screen to move students from parking to their institution
  4. Mahara will change auth from internal auth to 2nd SSO
  5. * If 2nd SSO has a different username on remote side, they will need to update the user's remote username on mahara

This workflow could also include a CSV file upload with the following contents

username, parkedinstitution, remoteusername (this field is optional, defaults to username)

This will take the user from the parked institution, and change their remoteusername if supplied.

A CSV file with only username field can take users out of institution and put them in their parking institution.

Parking Institution

A dummy institution that maps to the old institution, but only uses internal auth.

Each institution has it's own parking institution.

The parking institution should either:

  • be created when institution is created
  • first time a user is moved into it
  • institutions have an option to have one, which would create/remove it when enabled/disabled.

When a user is put into this institution, they have a password generated if they don't already have one, this is then emailed to them. They are forced to change on first login.

The automatically generated password could be supplied in the csvfile manually?


Summary

Work to Do

  • Create notion of parked institution
    • Most likely a database table, links to old institution (may have multiple per institution
    • Decide when/how it is created, and possibly removed
  • Change Administration->Institution->Members page
    • Add dropdown option "Move members to parking institution" (or similar wording)
      • When the remove button is clicked, all users are moved to the parking institution (according to workflow above)
    • Add dropdown option "People who are in a parked institution" (or similar wording)
      • When that option is selected, the search field at the bottom can search through parked institutions
      • When the add button is clicked, all users are moved to the institution according to the above workflows
If moving to an SSO institution, then the admins will manually have to go and change the remote username
  • Implement option for uploading CSV's to do the same workflow as the first bullet point
  • Review of any code produced

CSV Files

Moving to parking institution

username, password (optional)
  • Moves username into parking institution.
    • If password already exists for that user, keep it (or maybe change if supplied in CSV??)
    • Otherwise, if password is supplied in CSV, change to that, notify user
    • Otherwise, generate password, notify user
    • Change auth method to internal


Moving from parking institution

username, parkedinstitution, remoteusername (this field is optional, defaults to username)
  • Moves username from parkedinstitution
    • If moving to an SSO institution, change remoteusername (or use default of username)
    • Change auth method to new institution


Out of scope

Multiple SSO

  • Wishlist

This happens when a user is part of two institutions that use SSO, and they want their portfolio to be the same in both of them