SMS scnews item created by Paul Szabo at Wed 4 Jul 2007 1325
Type: Info
Modified: Wed 25 Jul 2007 0727; Tue 4 Apr 2017 1229; Thu 27 Jul 2017 0830; Wed 13 Dec 2017 0933; Fri 29 Mar 2019 0826; Mon 15 Apr 2019 1948; Sun 19 Jan 2020 2045; Sun 19 Jan 2020 2058; Mon 20 Jan 2020 0739; Mon 20 Jan 2020 0802
Distribution: World
Auth: psz@asti.maths.usyd.edu.au

Unikey login and /loc/ objects

Changed, new:
 - SAML and LDAP authentication
 - added /1fa/ and /2fa/, requiring password or 2FA
 - better wording (and explanation of "currently enrolled")

---

Many web pages are accessible to anyone in the world. Sometimes it makes
sense to restrict access, and some of our webpages are only accessible
"internally" or via Unikey login when accessed from "outside" (and some
are not accessible to undergrads even when inside).

For example, lecturers may make web material available to students,
in a way that would not be accessible to the world (e.g. when you are
concerned with intellectual rights).

You can specify the following levels of access for any web page:

/2fa/
/1fa/
/staff/ - restricted to Maths staff and/or postgrads honours etc, but
   not accessible to undergrads (similar to who can access tutsols).
   Using /1fa/ is stronger, requires password access (e.g. Unikey, or
   dora or Windows PC login, not simply accepting laptop users).
   Using /2fa/ is stronger still, requires two-factor authentication
     http://www.maths.usyd.edu.au/u/psz/ssh-howto.html#setup2fa
   (with skeys or GoogleAuthenticator, same as ssh) when accessed from
   outside the School.

/priv/ - restricted to Maths staff/postgrads/honours and undergrads in
   some UoS: if the URL also contains an UoS (e.g. contains /MATH1001/)
   then allows access also to students currently enrolled in that UoS,
   otherwise restricts same as /staff/ to all staff and no students.
   Students enrolled in an "advanced" course can also access "normal"
   webpages e.g.:
     MATH2970 students can access MATH2070
     OLET1625 students can access OLEO1624
   (but not the other way around).
   (Should be named /mystudent/ or /myuos/ or somesuch.)

/loc/ - restricted to Maths people, whether staff or undergrads:
   accessible to Maths staff/postgrad/honours/etc, and/or to Maths
   undergrad students currently enrolled in some (any) Maths UoS.
   (This is the "traditional" way of restricting "local" access.)

/uni/ - restricted to University people with Unikey, allowing access
   to all Uni staff and students, whether related to Maths or not.
   You may want to use this to avoid issues of newly enrolled students
   not having access for a day or two while their enrolments details
   trickle down to us from SydneyStudent, or outside of semester.
   Beware however that this provides less protection than /loc/ does.

All other pages are open to the world.

To do this (example for /loc/): place the web page within a directory
named "loc", so the path (or URL) becomes something/loc/something; the
"loc" directory may appear anywhere within the path. Then any web access
will require an identified, logged-in, Maths user: automatically
provided for "internal" access, and to use Unikey (SAML, WASM or LDAP)
login when fetched from outside.

For /2fa/, /1fa/, /staff/, /priv/ or /uni/, use a directory named so.

Note that "currently enrolled" means enrolled in the current semester,
whether semester 1 or 2, or SummerSchool or WinterSchool.

---

Note about SAML, WASM and LDAP

SAML and WASM are single-sign-on (SSO) services, and may let the user
in, without a further Unikey and password prompt, when already logged in
to another of their client services e.g. Canvas, myUni, Office365 or
staff intranet etc.

Many years ago, the Uni implemented the WASM (Web Authentication and
Session Manager) SSO service (written by ICT people):
  http://web.archive.org/web/20040113091133/http://www.usyd.edu.au/is/comms/doc/wasm/
Recently, the Uni is deprecating WASM: partly because all good people
left ICT so they are unable to maintain it; partly because they think
that some upcoming IdM (Identity Management) systems will need features
that WASM cannot provide; and really, because SAML is some humungously
over-complicated open "standard" (but adopted by many e.g. Microsoft,
and with some non-free implementations):
  http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
The Uni has plans to remove WASM altogether in the next couple of years;
until then, it will use these two incompatible systems.

There are also many Uni websites that do NOT use either of these two SSO
systems. That is cumbersome for users who need to keep logging in to all
those systems; and is "phishers heaven", with scammers more likely to
trick people into giving up their passwords to their fake login prompts.
Still, Maths should not be any lesser than myHR or SydneyStudent, so we
offer a direct LDAP login also.

---

Note for developers/owners of /ub/ CGI scripts: an HTTP header of the
form "SMS-User: psz" is passed to scripts when restricted as above.
The script will see this as the environment variable HTTP_SMS_USER.
The value of this header is the Maths login name for /loc/ or higher.
For /uni/ it is the Maths login name, or 0-Unikey for non-Maths people
(e.g. for students who are not currently enrolled), or 1-MathsLogin when
accessed from zeno by a student who is not currently enrolled (but
already or still with a zeno login account).

---

Above it says "all other pages are open to the world", though other
restrictions may be implemented (e.g. via SMS-User as above).
The main ones are:
 - WeBWorK pages http://www.maths.usyd.edu.au/webwork2/ are available to
   staff and currently enrolled students, more-or-less as /priv/.
 - The Maths archives http://www.maths.usyd.edu.au/a/ are available to
   staff and past students, more-or-less as /priv/ but for past enrolments.

----


If you are registered you may mark the scnews item as read.
School members may try to .