How To Programmatically Add OpenID Users To Plone Site - plone

I need to give roles (including the Member role), memberdata, and user folders to certain OpenID users before they first log in to my Plone site. That is, I need to programmatically add OpenID users to my Plone site. portal_registration.addMember cannot add an OpenID user. plone.openid has its own PAS plugin which does not create member objects. What do I do that is replicable in a setuphandler? The usual way to do this is to manually log in the OpenID user, then add roles, memberdata, and sharing after the login. Howwever, that user story is not programmatically replicable.

The only thing that should matter is the user id generated for each user. It should be possible to just create regular members beforehand with user ids matching the open id identity urls, assing them roles and then use openid (only) as an alternative authentication method for those users.
Update: As Chris commented below, it's not possible to add users with URL as their id through Plone UI, but they must be created directly into PAS users folder through ZMI (Zope Management Interface).

Related

WSO2 api manager shared application subscription

I have created a secondary User store using LDAP. By default, all users of the secondary store have no permission. Is it a way to assign the suscriber role to all users in one operation or I have to do it manually for each user ?
Thanks
Since by default WSO2 uses groupId('Organization) of the user to share the Application in the Devpotal as mentioned here in the documentation: sharing applications
You can go to the Carbon UI and search for the LDAP users among which you want to share an Application. Next to the User click on the 'User Profile' tab. There you can edit the value next to the 'Organization' column. For this, your secondary user store should be 'ReadWriteLDAPUserStore'. Similarly, edit the value for each user in the secondary user store to the same value to share the Application among them.
In fact, in the ldap user store if you configure LDAP groups there are automatically created as a role and you can apply permissions to a role which will be apply to all users of your LDAP group.
But I didn't find a way to share applications between users of a LDAP group ...
Here is a better way to achieve it. In the official documentation it is mentioned that it allows the Applications to be shared if we have common roles, in as you said WSO2 treats AD groups as roles. Lets assume you have two users user1 and user2 in your LDAP store both of which are the part of AD group 'AD_Group'.
So mention the AD group name common to the users among which application needs to be shared : -
Also change the configuration as following in the deployment.toml file : -
[apim.devportal]
enable_application_sharing = true
#application_sharing_type = "default"
application_sharing_claim=http://wso2.org/claims/role

mvc authentication with multiple roles

I am building a mvc application with owin authentication. I am storing both users and admins in one table(Users). The application works in a way where the admin can also be an user(different views for admin vs user).
I am thinking the following options but i am not if it is correct approach
Once the admin logs in ask them if they want to use the application as an user or admin and redirect them based on that
Have two records one as an user and another as an admin (only if nothing else works)
Is there a better solution?
The admin user by default is a privileged user, hence he should by default be shown admin pages. Similarly for the user.
However, as you mentioned, we can have a preview link which can render the page in a user mode if admin opts to.
Also, have a page where we can add / remove the roles for any user by the admin.
You may also have a user setting persisted in db to know the user's default view preference.

Forms Authentication with More than Username and Password

The customers (clients) of an ASP.NET webapplication are companies and each company may have many users that have access to the site.
So, for instance CompanyA subscribes to the site to consume the site's services. Immediately a superuser of that company is created. Then, this supersuser has the permission to create more users of CompanyA that have access to the site.
So, in general, each user is identified by a CompanyName and a UserName.
Typical ASP.NET forms authentication provides automatic login and register functionality but only with Username and Password fields.
Does the .NET framework provides a way to include a CompanyName and CompanyPassword fields in the Login and Register controls?
A company and the initial superuser may also be registered in the system by the Site's administrator.
Actually what I would like is to include a CompanyName field in the provided .NET Login control, and not only Username and Password.
Is there a .NET framework way to do this, or do I have to custom-code it? In the latter case, which is the best practice?
Your scenario should NOT require a company name at all. So long as the username is a unique column, you should be able to lookup to which company does the user belong to. All you need is a user_company table which will link usernames to company ids. Once the super user is created, you know the company he belongs to and when he creates a user, you also know which company that user will belong to. On the login page you still only need to ask for username and password only; that's of course, if you don't want to allow users from different companies with the same username, which I think is reasonable and a good trade off for simplicity.
You can use any pre-existing or planned authentication scheme you want with ASP.Net Forms authentication.
See this (overly simplified) example from MSDN where you can even hard code the auth scheme if you so choose - not that you should, but it gives you the overall idea.
ASP.net Membership is provided to you by Microsoft if you want to use it (you don't have to). It has all the scaffolding you need if you use it (including the database you mention) and is used by Forms Authentication by default (not exclusively).

Implementing OpenId in my custom application where users are created by administrator only

In my asp.net application, users are created by the administrators & those users need to log-in into the system using their own email/password or openid. So what is the best option to implement in this scenario?
I mean, as users can't register them self,do administrator required to associate each openid with the users & what kind of table structure do I need?
And do I also need the log-in interface like that of stackoverflow.com showing multiple types of authentication(default & openid from various providers)?
if the below suits you can set it up this way:-
Have user come up to your site and try logging in.
Do the complete OpenID authentication fetching one pseudonym from OpenID which can be used as a unique user identifier
Once verified , check if the user exists in your database of authorized user. if not , add this to a sperate table of new_users. For the new user , show a message which is akin to "You can login to the site once admin authroizes you"
Provide an interface for admin to look into new_users
Allow admin to authorize the new user. This would move the user to authorized user based on your business criteria
Once authorized , user can login to the site.
P.S: Take a look at http://www.plaxo.com/api/openid_recipe

asp.net membership users with passwords and those without

I am trying to find a way to handle two types of users for an intranet system. There are users who login and there are those who do not. I need to store both types of users in the membership db. Does anyone have a common solution to this problem?
This is for an event booking system. The users who are in AD will see the app. We need to store the O/S Name along with a few other attributes from AD in our membership db. The O/S Name gets captured using the Request.ServerVariables(). We need to store those "requester" details along with other details about the event that is being booked.. In addition to those users, there are users that actually log into the system. I was hoping to store both types of users in the membership db, so that when an event is retrieved, the user details will get retrieved from the membership db as wel
If you can use 'Integrated Windows Authentication' you have access to some information about the user connecting to your system.
Therefore you could use this information for the general case, without the login.
If a user then want's more access, he can logon to the site with a special username/pwd.
A membership DB would typically restrict access to a set of users for a particular application on an Intranet site. Only those who are in Active Directory as network users would even see the Intranet in the first place. And only a subset of those network users who have been granted privileges for your application in its membership system would see the link and/or be able to gain access in one role or another. Can you be a little more specific with respect to what you are trying to achieve? :-)

Resources