DMTViewer should be usable with multiple Shibboleth authentications
LLO uses Shibboleth. We want LHO to also use Shibboleth, but aren't sure DMTViewer can handle two such connections.
Also, vague desires to either limit connections to on-site or allow more offsite connections?
Michael Thomas wrote:
To be precise, here are the http access rules for the llo dmtviewer target URL. Note that offsite access is permitted to any LIGO.ORG user, but only if they authenticate with shibboleth (eg ecp-cookie-init or something similar):
<Proxy *> allow from all AuthName "This content is viewable by only LIGO/Virgo personnel. Please enter your LIGO Directory name, e.g. albert.einstein, and password to continue." AuthType shibboleth ShibRequestSetting requireSession 1 <RequireAny> <RequireAll> require shib-session require shib-attr isMemberOf Communities:LSCVirgoLIGOGroupMembers </RequireAll> <RequireAll> require shib-session require shib-attr isMemberOf Communities:robot:LHOCDSControlRoomSystems </RequireAll> <RequireAll> require shib-session require user dmtviewer/cr39.cds.ligo-la.caltech.edu </RequireAll> <RequireAll> require ip 208.69.128.0/22 </RequireAll> <RequireAll> require ip 127.0.0.1/32 </RequireAll> </RequireAny> </Proxy>
The 'require user dmtviewer/cr39.cds.ligo-la.caltech.edu' can probably be dropped, as the 'require ip' rule below it would match LLO control room systems.
Jamie wrote:
An offsite user (Evan Goetz) was trying to setup a dmtviewer of the range data. He claimed that he could see the Hanford data but not the Livingston data. If the sites should be restricting access to only the other site, then presumably that means there is a misconfiguration at LHO that is allowing it to be accessed externally.
Jonathan Hanks wrote:
The difference is a historical feature. The DMT at LHO is still protected via mod auth kerb, while LLO is protected via shibboleth with an access group (LHO uses the grouper group named something::something::... LHOCCDSControlRoomSystems to get access to LLO).
We need to move the LHO system to shibboleth. However I'm not sure how well multiple shibboleth protected servers work w/ the DMT web client code, so when we do that we may need to do a new release on dmtviewer in order to make sure it can see both sites at the same time.