Details
-
Improvement
-
Status: New
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
-
Rank:0|i0030n:
Description
This ticket describes potential improvements to i2b2 user authentication with respect to the user experience for administrators as well as native support for SAML. This ticket can be considered a feature request in two parts, both centering around exposing a more robust authentication infrastructure within the i2b2 admin web panel.
The first part of this request is to streamline the user experience for administrators configuring authentication in i2b2. Currently configuration of Active Directory and LDAP requires detailed specification of parameters. I don't wish to sound too prescriptive in how a new solution should be applied, but I envision a node specifically devoted to user authentication. Within that node there would be a list of all user accounts within the hive with options to toggle between all currently supported authentication methods. This menu could handle getting and setting the parameters we currently configure on a per-account basis.
The second part of this request is to extend i2b2 to natively support SAML and SSO services. Several institutions have devised approaches for interfacing between i2b2 and Shibboleth, a popular web-based identity management system based on SAML. An example of one approach involved deferring control to a custom PHP page and a webservice to perform authentication and checks before passing control to i2b2. Another institution created a plugin and altered some JavaScript to accomplish the same thing. This is proof that the capabilities are there, but both of these approaches are wedded to a particular web client version and replete with site-specific customizations. This makes it difficult to upgrade the web client and retain single sign on capabilities. In order to maintain consistency and elegance in how i2b2 handles user authentication, I believe this functionality should be incorporated into the core of i2b2.
We would be willing to assist in implementing this functionality.
The first part of this request is to streamline the user experience for administrators configuring authentication in i2b2. Currently configuration of Active Directory and LDAP requires detailed specification of parameters. I don't wish to sound too prescriptive in how a new solution should be applied, but I envision a node specifically devoted to user authentication. Within that node there would be a list of all user accounts within the hive with options to toggle between all currently supported authentication methods. This menu could handle getting and setting the parameters we currently configure on a per-account basis.
The second part of this request is to extend i2b2 to natively support SAML and SSO services. Several institutions have devised approaches for interfacing between i2b2 and Shibboleth, a popular web-based identity management system based on SAML. An example of one approach involved deferring control to a custom PHP page and a webservice to perform authentication and checks before passing control to i2b2. Another institution created a plugin and altered some JavaScript to accomplish the same thing. This is proof that the capabilities are there, but both of these approaches are wedded to a particular web client version and replete with site-specific customizations. This makes it difficult to upgrade the web client and retain single sign on capabilities. In order to maintain consistency and elegance in how i2b2 handles user authentication, I believe this functionality should be incorporated into the core of i2b2.
We would be willing to assist in implementing this functionality.