Identification management

PPCI offers several mechanisms for managing user identification:

  • storage of accounts in the database (BDD)
  • identification with an LDAP server (LDAP)
  • identification with a Common Access Service (CAS) server
  • identification with an OpenID Connect (OIDC) server
  • identification provided by the web server, to use Shibboleth mechanisms (Apache Mellon mode, for example) (HEADER)
  • mixed mechanisms, using third-party servers and database storage for accounts not otherwise managed:
    • LDAP-BDD: identification test with the LDAP directory, and if unsuccessful, with the database.
    • CAS-BDD and OIDC-BDD: a button can be used to select identification with the server in question.

In addition, users can activate dual TOTP identification. This is compulsory to access the administration modules.

Note that LDAP identification is now considered obsolete. It is better to use OIDC or CAS services, where available.

Specific parameters for each type of identification

Database identification

Parameters are defined in Ppci\ConfigIdentificationConfig.

  • CONNECTION_max_attempts : if the connection fails (default 5), the account will be blocked for the time specified in :
    • CONNECTION_blocking_duration (default 600 seconds). Note that attempting to connect during this period resets the counter to zero
  • APP_passwordMinLength : minimum password length.
  • APPLI_lostPassword : if set to 1 (default), the user will be able to ask for their password to be reset, provided their email address is entered
  • tokenIdentityValidity : validity period of the token generated during the BDD or LDAP connection, to avoid having to re-identify during the day. By default, 10 hours.

LDAP identification

Variables are defined in Ppci\Config\IdentificationConfig.LDAP.

  • address : LDAP server address
  • port : connection port
  • rdn : login account for directory queries, if required
  • basedn : account search base
  • user_attrib : attribute containing the user’s identifier (uid)
  • v3 : version 3 of the directory, set by default to true
  • tls : set to true to activate the tls connection
  • upn_suffix : upn suffix, necessary in some cases for Active Directory
  • groupSupport : if set to true, groups will be retrieved from the directory to feed the rights management module
  • groupAttrib : name of the attribute containing the user’s groups
  • commonNameAttrib : name of the attribute containing the common name
  • mailAttrib : name of the attribute containing the email
  • attributgroupname : name of the attribute containing the group name
  • attributloginname : name of the attribute containing the uid member
  • basedngroup : groups search path
  • timeout : directory search time-out (set to 2 seconds by default)
  • ldapnoanonymous : if set to true, querying the directory to retrieve groups requires a connection
    • ldaplogin : connection login
    • ldappassword : associated password

Icon for the identification button (CAS-BDD ou OIDC-BDD)

An icon has been added to the button used to activate identification with the CAS or OIDC server: Ppci\Config\IdentificationConfig.identificationLogo = "${FRONT_DIR}/favicon.png"

Identification on dedicated servers (HEADER, CAS, OIDC)

Parameters are defined in Ppci\Config\IdentificationConfig.XX, where XX must be replaced by CAS, OIDC or HEADER.

Generic parameters:

  • mail : attribute containing the email
  • firstname : attribute containing the first name
  • lastname : attribute containing the last name
  • name : attribute containing the common name
  • groups : attribute containing user membership groups
  • getGroups : if set to 1 (default), the user groups supplied by the identification server are processed

Specific parameters for CAS identification

  • address : CAS server address, by example: monserveur.society.com
  • uri : identification access folder. Default setting : /cas
  • port : default: 443
  • debug : f set to true or 1, traces are stored in the file writable/logs/cas.log
  • CApath : path to the certificate used to validate the CAS server. If it is not entered, the CAS server will not be verified (not recommended for production use).

OIDC identification

  • name : provider code
  • provider : provider web address (must start with https://)
  • clientId : code furnished by the provider
  • clientSecret : secret key furnished by the provider
  • scopeGroup : OIDC scope name which contains the secondary attributes (default : affectation)

HEADER identification

  • login : name of the $_SERVER attribute containing the login, returned by the Apache server
  • organizationGranted : table containing the code or name of authorised organisations. If this table is filled in, and if a new user does not belong to one of the organisations indicated (organization attribute), their account will not be created.
  • groupsGranted : table containing the list of authorised groups. If a user logs in for the first time and their group (or one of their groups) is on the list of authorised groups, their account will be activated automatically. If not, the account will be deactivated and an email will be sent to the administrators inviting them to activate the account.

Managing access to administration modules

The parameters can be accessed from Ppci\Config\IdentificationConfig.

  • adminSessionDuration : period during which the identification remains valid for access to the administration modules. Default: 10’.
  • disableTotpToAdmin : if set to 1, disables dual-identification for access to administration modules. Should not be used in production!