The functional requirements list of FOLIO's SSO integration is assembled, however some decisions have to be made before the actual development begins. The primary goal is to support SAML (Shibboleth IdP).
Where should development occur?
There was an initial idea of creating a separate fork of mod-login and implementing an SSO compatible login layer replacing the current user/password based authentication.
This however has some problems:
- It is expected to support simultaneous username/password based authentication next to SSO login. Some users are not enlisted as SSO users, but still have to login to the system.
- SSO login extends mod-login instead of an alternate implementation. When the user clicks "login via SSO", it will redirect to an IdP login page, and the successful login metadata is sent back to FOLIO to a specific endpoint. It's not a replacement.
In my opinion SSO should be a new feature of the existing mod-login module and will be merged once complete. Is it okay to do it like that?
How should UI handle SSO login?
The following visual requirements need some kind of discovery of the configured SSO settings:
- The "login to SSO" button should only show when an SSO IdP is configured for FOLIO.
- The login button's text should be changeable, or at least the visual name for the SSO endpoint needs to be configurable.
- Where should the configuration values come from? UI side configuration or something fetched from the backend when the FOLIO UI loads?
- It seems that the login page is currently not a separate module. Is it okay to add SSO specific function to the current location? (Where is it actually?)
- Can Qulto develop the UI additions?