SMS scnews item created by Paul Szabo at Wed 4 Jul 2007 1325
Type: Info
Modified: Wed 25 Jul 2007 0727; Tue 4 Apr 2017 1229; Thu 27 Jul 2017 0830; Wed 13 Dec 2017 0933; Fri 29 Mar 2019 0826; Mon 15 Apr 2019 1948; Sun 19 Jan 2020 2045; Sun 19 Jan 2020 2058; Mon 20 Jan 2020 0739; Mon 20 Jan 2020 0802; Wed 17 Mar 2021 1058; Mon 26 Apr 2021 0858; Sat 14 Aug 2021 1826
Distribution: World
Auth: psz@asti.maths.usyd.edu.au

Unikey login and /loc/ objects

Many web pages are accessible to anyone in the world. Sometimes it makes
sense to restrict access, and some of our webpages are only accessible
"internally" or via Unikey login when accessed from "outside" (and some
are not accessible to undergrads even when inside).

For example, lecturers may make web material available to students,
in a way that would not be accessible to the world (e.g. when you are
concerned with intellectual rights).

You can specify the following levels of access for any web page:

/2fa/
/1fa/
/staff/ - restricted to Maths staff and/or postgrads honours etc, but
   not accessible to undergrads (similar to who can access tutsols).
   Using /1fa/ is stronger, requires password access (e.g. Unikey, or
   dora or Windows PC login, not simply accepting laptop users).
   Using /2fa/ is stronger still, requires two-factor authentication
   when accessed from outside the School; we accept Okta MFA logins;
   or via
     http://www.maths.usyd.edu.au/u/psz/ssh-howto.html#setup2fa
   (with skeys or GoogleAuthenticator, same as ssh).

/priv/ - restricted to Maths staff/postgrads/honours and undergrads in
   some UoS: if the URL also contains an UoS (e.g. contains /MATH1001/
   or /yyyySs-MATH1001/) then allows access also to students currently
   enrolled in that UoS (if that yyyySs is the current semester),
   otherwise restricts same as /staff/ to all staff and no students.
   Students enrolled in an "advanced" course can also access "normal"
   webpages e.g.:
     MATH2970 students can access MATH2070
     OLET1625 students can access OLEO1624
   (but not the other way around).
   (Should be named /mystudent/ or /myuos/ or somesuch.)
   As per our conventions (in timetabling), SummerSchool is semester 4
   and WinterSchool is semester 5.

/loc/ - restricted to Maths people, whether staff or undergrads:
   accessible to Maths staff/postgrad/honours/etc, and/or to Maths
   undergrad students currently enrolled in some (any) Maths UoS.
   (This is the "traditional" way of restricting "local" access.)

/uni/ - restricted to University people with Unikey, allowing access
   to all Uni staff and students, whether related to Maths or not.
   You may want to use this to avoid issues of newly enrolled students
   not having access for a day or two while their enrolments details
   trickle down to us from SydneyStudent, or outside of semester.
   Beware however that this provides less protection than /loc/ does.

All other pages are open to the world.

To do this (example for /loc/): place the web page within a directory
named "loc", so the path (or URL) becomes something/loc/something; the
"loc" directory may appear anywhere within the path. Then any web access
will require an identified, logged-in, Maths user: automatically
provided for "internal" access, and to use Unikey (SAML, WASM or LDAP)
login when fetched from outside.

For /2fa/, /1fa/, /staff/, /priv/ or /uni/, use a directory named so.

Note that "currently enrolled" means enrolled in the current semester,
whether semester 1 or 2, or SummerSchool or WinterSchool.

---

Note about Okta, ADFS, WASM and LDAP

Okta, ADFS and WASM are single-sign-on (SSO) services, and may let the
user in, without a further Unikey and password prompt, when already
logged in to another of their client services.

Many years ago, the Uni implemented the WASM (Web Authentication and
Session Manager) SSO service (written by ICT people):
  http://web.archive.org/web/20040113091133/http://www.usyd.edu.au/is/comms/doc/wasm/
Recently, the Uni is deprecating WASM: partly because all good people
left ICT so they are unable to maintain it; partly because they think
that some upcoming IdM (Identity Management) systems will need features
that WASM cannot provide; and really, because SAML is some humungously
over-complicated open "standard" (but adopted by many e.g. Microsoft,
and with some non-free implementations):
  http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
The Uni has plans to remove WASM altogether in the next couple of years;
the WASM configs for Maths were removed in Apr2021.

The first Uni implementation of SAML services was ADFS (sts.sydney);
that is now being gradually replaced by Okta (sso.sydney). Both, as well
as WASM, are in current use; there are also some Uni websites that do
not use either of these SSO systems. It is quite cumbersome for users
to keep logging in to all those systems; and is "phishers heaven", with
scammers more likely to trick people into giving up their passwords to
their fake login prompts.

For the Maths website we now offer (accept) Okta logins only; we used to
offer both WASM and direct LDAP login also, could still offer LDAP.

---

Note for developers/owners of /ub/ CGI scripts: an HTTP header of the
form "SMS-User: psz" is passed to scripts when restricted as above.
The script will see this as the environment variable HTTP_SMS_USER.
The value of this header is the Maths login name for /loc/ or higher.
For /uni/ it is the Maths login name, or 0-Unikey for non-Maths people
(e.g. for students who are not currently enrolled), or 1-MathsLogin when
accessed from zeno by a student who is not currently enrolled (but
already or still with a zeno login account).

---

Above it says "all other pages are open to the world", though other
restrictions may be implemented (e.g. via SMS-User as above).
The main ones are:
 - WeBWorK pages http://www.maths.usyd.edu.au/webwork2/ are available to
   staff and currently enrolled students, more-or-less as /priv/.
 - The Maths archives http://www.maths.usyd.edu.au/a/ are available to
   staff and past students, more-or-less as /priv/ but for past enrolments.

----