[opensource] OpenID and OSU Sign-on now available on club website

Brian Swaney swaneybr at opensource.osu.edu
Fri Jan 7 03:34:23 EST 2011

In response to a few complains we received about having to log into our
site, remembering yet ANOTHER password (and resetting that password each
time), as well as insanely difficult CAPTCHAs, we have taken steps to
make things a little easier for everyone. Effective immediately, your
OSU name.n will now log any current student, faculty, or staff member
into our website with full access. To use, simply click the link on the
left-side of any page titled "OSU Sign-on" and you will be redirected to
the Shibboleth login page - do NOT enter your OSU username and password
into our website directly. Enter your OSU username and password (same
password you use for Carmen/grades/etc) and you will get signed into our
website (new account created if you don't have one). A nice feature
about this is if you log in this way will automatically treat your
account as identified and give you the ability to post anything without
moderator approval (or any other options unavailable to anonymous or
unverified users), since we can be *reasonably* certain you're not a
spammer if you log in with an OSU account.

Additionally, we now also support OpenID. Unlike with your OSU login
(which uses Shibboleth), an OpenID will not automatically get flagged as
identified if you register a new account with it. However, you may tie
unlimited OpenIDs to your verified account. Using either OpenID or your
OSU sign-on, you can now log into our website without ever
having to enter a password in our site. Ultimately, it is possible to
have the same account accessible by an OSU username/password, OpenID,
and a local Drupal username/passsword at the same time, with you being
able to use whichever login method you feel like at that particular
moment. You can have all of them working, only one of them working, or
any combination.

A few known issues and explanations/workarounds:

If you appear to not be logged in after authenticating, check that the
URL starts with https:// (notice the s in https). For some reason, in
some cases you won't be redirected to SSL from a non-SSL page. I am not
sure when or why this happens, but secure logins are enforced throughout
the site; you cannot be logged in except over HTTPS. If it happens, you
can fix it by adding the s and you will find you are in fact logged in.

If you have an existing account that has your name.n at osu.edu as an
e-mail address, you will get an error telling you the e-mail address is
already in use. Users do not have permission to change their usernames,
so you will need an administrator to change it for you. A few people
have run into this dilemma already, and you will need to make a choice:
You can log into your existing account with your OSU password, or you
can keep your custom username. Both are allowed, but it is not possible
to use both simultaneously. If the username matches but the e-mail
address doesn't, the e-mail address will get overwritten.

Accounts newly created for users logging in the first time over
Shibboleth (name.n password) will have the option to add an OpenID, but
if the user later tries to log in over that OpenID they will get an
error that their e-mail address is not validated. Although intuitively
one would expect your e-mail address to be valid since it's assigned by
OSU, it was never verified for Drupal upon account creation, and
Shibboleth-created accounts are never sent a verification e-mail. The
issue can be resolved by initiating a password reset; once you click the
link received in the password reset e-mail your address will be confirmed.

If you log in with your OSU username for the first time using our
website, you will automatically have full access (e.g. create content
without approval, no captcha, view user accounts), but if you sign in
over OpenID or create a password and use that you will get a message
that your account is "unverified". This is because the privilege
delegation is done dynamically when you log in over Shibboleth, and is
unfortunately not tied to your account. You will still need to wait for
an administrator to "approve" your account, but until then you will
still have full access using your OSU username and password. Once the
permissions are tied directly to your account, you will be able to use
it without your OSU login, although you certainly aren't required to.

Messages about destroying uninitialized sessions (session_destroy()
[function.session-destroy]: Trying to destroy uninitialized session in
shib_auth.module) mean that your session is expired. Apparently the
author of the Drupal Shibboleth module decided to be extra sure that a
session is safely destroyed when it expires and then add the resulting
error message as a security "feature". Aside from polluting our logs
this does not pose any loss of functionality; and that you're no longer
logged in would have happened without the error message. To resolve it,
obviously, just log back in.

If you are having general issues with logging in not mentioned above,
first try refreshing the page and clicking login again. If that doesn't
work, remove all cookies for opensource.cse.ohio-state.edu and
webauth.service.ohio-state.edu . If you receive an error message
something like the one at http://opensource.osu.edu/~swaneybr/shiberror
it generally goes away if you refresh the page or click back and try
again. The error seems to be related to insufficient memory to process a
request (such as a lot of people using the service at once), but it has
not be reliably reproduced. If the error happens every time you try to
log in, or if it's happening on every page, then an administrator might
need to restart the service, although in the former case you can
generally still log in through OpenID or by logging in directly with
your Drupal password.

Brian Swaney
Open Source Club at
Ohio State University
Website Administrator

More information about the Opensource mailing list