Project

General

Profile

Actions

Feature #4635

open

Allow non-WP authentication

Added by Boone Gorges about 9 years ago. Updated over 5 years ago.

Status:
New
Priority name:
Normal
Assignee:
Sonja Leix
Category name:
Authentication
Target version:
Start date:
2015-09-18
Due date:
% Done:

0%

Estimated time:
Deployment actions:

Description

The Commons was built independent of CUNY's central IT. We found it easier to use WordPress's native authentication rather than jump through the hurdles necessary to integrate with the CUNY Portal or other SSO services offered by CUNY. The Commons is in a different place today, and the technologies used for authentication by CUNY - as well as the technologies generally used for centralized authentication - are different from those in 2009 and 2010. It used to be a useful hurdle, and indeed a point of pride, that the Commons's separate registration was an obstacle for widespread use of the site. This is no longer true.

Let's use this ticket for some general discussion about improving login workflows. As we start to make decisions about priorities, etc, we can create separate tickets for specific tasks.

I think we should pursue two different strategies in parallel:
1. Allow authentication against CUNY identity systems. I guess this would mean the Portal, which I assume is powered by LDAP. But it could potentially mean integration with authentication systems on individual campuses, if we were insane enough to go that route.
2. Allow authentication with external OAuth providers. Off the top of my head, the obvious candidates are Google/GMail, Facebook, and Twitter.

Option 2 is nice because it'll cover a huge percentage of our user base, and it doesn't require permission from CUNY. However, we'll probably still need to check against a CUNY email account to verify that the user is a CUNY person. Option 1 is nice because, in theory, everyone should have an account; but it's also confusing because CUNY has so many logins, and I have no idea who we'll have to talk to to be whitelisted for their API. Going with option 1 first also means that we won't have to redesign the registration flow - we can do the normal send-an- activation email step, or even skip it, while in the case of Facebook etc we'll need to have an alternative flow for verifying CUNYhood.

In either case, we can probably use the authentication API to pull more than just authentication data - stuff like email addresses, first/last names, contacts, etc would be possible down the road.

We'd need workflows that account not only for new members, but also for existing members who want to log in using another auth system - a "claim your account" system, maybe. And we'll probably need to redesign/customize the login flow to account for the multiple login possibilities.

What do people think? Where should we focus our energies first?


Files

cac-portal.txt (2.42 KB) cac-portal.txt Boone Gorges, 2015-09-21 11:21 PM
integration 2.png (91.2 KB) integration 2.png Step 2 Paige Dupont, 2017-09-19 11:45 AM
integration 3.png (107 KB) integration 3.png Step 3 Paige Dupont, 2017-09-19 11:45 AM
integration 4.png (81.6 KB) integration 4.png Deletion Paige Dupont, 2017-09-19 11:45 AM
integration 1.png (128 KB) integration 1.png Step 1 Paige Dupont, 2017-09-19 11:45 AM
RH login.png (83.3 KB) RH login.png Paige Dupont, 2017-09-29 11:32 AM
Calendly1.png (59.7 KB) Calendly1.png Calendly 1 of 2 Paige Dupont, 2017-09-29 11:35 AM
Calendly 2.png (87.1 KB) Calendly 2.png Calendly 2 of 2 Paige Dupont, 2017-09-29 11:35 AM
Switch Accounts.png (22.7 KB) Switch Accounts.png Paige Dupont, 2017-09-29 11:39 AM
Actions

Also available in: Atom PDF