CUWebAuth is Cornell's single sign on system. I wrote a module to use this to authenticate Drupal users.
- The module is called culauth and is located in sites/all/modules/custom where installed.
- The module is based on Adam Smith's work in the cul_common module. It uses cul_common's api for accessing LDAP data.
- culauth contains a form for the login dialog, a block to display the form in, various hooks to catch the login, and the login code
- To trigger the CUWebAuth authentication, culauth jumps to a .php file in a protected directory using drupal_goto. The directory is protected by a ,htaccess file containing this:
AuthName CORNELL
AuthType All
require permit library - The actual .php file adds a cookie that tells culauth what the user's netid is.
- Given the authorized netid, the module creates a Drupal user account with that netid. No roles are assigned to the user.
- Once the Drupal account is created, the authorized user can log in without a password - just click the log in button.
- The CUWebAuth cookie expires at the end of the browser session. To log in after browser restart the user should have to go through CUWebAuth again.
- With the default setup, the Drupal login session does not expire on browser restart. You can get in a situation where you are logged in to Drupal but there is no CUWebAuth cookie. This is not good.
- I added a module called Automated Logout that kills the Drupal session after a timeout.
- The /admin/user/settings should be set to 'Only site administrators can create new user accounts.'. We don't want people who can log in via CUWebAuth creating accounts with their netid as a user name. We want to verify that they are still in the 'library' group whenever they log in.
- This system works with the regular Drupal logins also.