The other day I finished up the work I had been doing for the the last week or so on integrating the different solutions for authenticating users at USQ. This evening I finished up the plugins and services required to handle authentication via USQ’s custom single sign-on (SSO) system (“USQAuth”), USQ’s single sign in (SSI) system (Oracle Internet Directory with an LDAP interface) and USQ Integrated Library System, Virtua) so that they all play nicely together. Something that one would think should be relatively easy to do turns out to be a non-trivial task.

First some background. A few years ago before I joined the USQ Library they implemented the open source VuFind application in its “1.0RC1” form. Recently the Library managed to rebuild the application to not use the deep core hacks that initially were implemented to get it deployed. Some of it was due to the radical architectural improvements between 1.0RC1 and 1.0RC2 as well as the final 1.0 release which helped make it easier to extend.

USQ also developed the Virtua driver for VuFind. Virtua, the library’s integrated library system (ILS), doesn’t provide a driver themselves but sells a reasonably expensive layer which integrates with Drupal these days. Originally such a layer didn’t exist and the system operates by a complicated mess of reading directly from database tables and posting stuff to arcane undocumented web interfaces through an even older web application known as “iPortal” with a binary named “chameleon”. Much fun!

So one of the things that has been desired for a while is the ability to integrate with the corporate directory service and corporate single sign on service. Unfortunately the vendor product is an all or nothing: you either have everyone authenticating from the directory or you create accounts inside the ILS which can authenticate. Due to the nature of our Library and the non-USQ patrons (e.g. people who pay to join the library or reciprocal borrowers) we have we can’t easily just pick the LDAP option. That leaves us in a position where we have to have our own passwords distinct from everything else which leaves a bad user experience.

Fortunately VuFind has a pluggable authentication layer. This means that we can supply our own authentication to handle things. Great! Except that the list of authentication plugins was hard coded. Well not so bad, but easy enough to fix by altering the system to have more flexible support for authentication handlers.

So by default we have an ILS authentication handler which works fine. And for those non-USQ users we still want to use that handler because it works great right now. But we also want to have another one that hooks into our LDAP directory and integrates there. Now I could build a new magical plugin that handles both the ILS authentication and the LDAP authentication however I figured that this was a bit much and decided instead to build an authentication handler which allows chaining of multiple authentication handlers, creatively called “MultiAuth“. This allows chaining and processing of the fields to ensure that they are consistently used by all subsequent child plugins. Nifty!

So now that we have better pluggable authentication support and the ability to chain multiple plugins we’re getting close to everything we need. The USQ situation is unique in that students are issued with a barcode identical to their student number. This makes them easy to process because we can map them directly from the LDAP interface into the ILS system. Staff however present a much trickier problem. Staff are created with a custom barcode and identifier which is distinct from their staff username and unique from the staff payroll number. This means that we need to dereference their username back to their ILS identity. Fortunately this was already done: an alternate barcode in a particular format stored their payroll number for cross verification. Sweet! In the not so lucky bucket was the fact that the custom barcode format meant that I could do a direct mapping still and needed to write some custom code. So with some modifications to the Virtua driver to pull out the alternate barcode and grab their real barcode to log the user in.

So at this point a user can login using the LDAP credentials or the standard ILS credentials. For relevant staff and students this means they’ve got two options but thats better than nothing. This is great but it isn’t single sign on yet because they have to log into the library catalogue specifically and that isn’t fun! So bring on the single sign on!

USQ has its own SSO system that was developed which means the standard mechanisms don’t work (bummer!). Fortunately our ICT department has some smart people and they’re also PHP friendly which means that there was already a library and sample code sitting just begging to be integrated. Surprisingly with the rest of the LDAP stuff in place this was relatively easy. The library did the heavy lifting of authenticating the user and returning their details so we just have to replicate what we had before. Students go straight through since their usernames match their barcode and we do a lookup with the staff payroll number to backtrack to finding their actual barcode and then logging them into the system and sending them on their way.

Fortunately this is all now in place on the live system which is up and running.