AtoM plugin: sfDariahShibUserPlugin

This plugin is used to enable Shibboleth Authentication in AtoM. The code is available on GitHub.

About the plugin

The plugin hooks into the authentication dialog, which is only shown on the dedicated login page /user/login and, assuming the webserver requires Shibboleth authentication for this page, upon visiting the url the Shibboleth data is used to authenticate the user to AtoM.

User rights are mapped based on the configuration file apps/qubit/config/app.yml. All CENDARI project members are given contributer status, while archivists and historians are granted editor status.

To facilitate the Single-Sign-On experience, a number of upstream templates is overwritten:

  • The menu template _userMenu is changed to remove the drop-down login menu.
  • The user templates editSuccess and indexSuccess are replaced by simplified versions that remove the password handling from the user interface.
  • The user template loginSuccess is replaced to remove login dialogs on pages other than the dedicated login page, which could appear on session timeout. In this case the user is redirected to the login page.

Code Documentation

Plugin Configuration

class sfDariahShibUserPluginConfiguration
Main Plugin Class for enabling Shibboleth authentication for AtoM.
property $summary

Short summary for display in AtoM interface.

property $version

Current version.


Load additional css file for new login link.


Upon initialization, set plugin to active and inject our login class sfDariahShibUser into the config

Extending the login page

class UserLoginAction
Overwrites upstream class to inject Shibboleth handling and pass request down to authentication class.

Renders the login dialog, calls the login action if Shibboleth data is present or POST data is sent as a fall back, redirects the user after successful authentication

  • $request (sfWebRequest) – The current web request.


Performing login and account creation

class sfDariahShibUser
User Class handling authentication and user creation from Shibboleth data.

Performs the actual authentication, calling parent if web request’s data is missing

  • $usermail (string) – the mail address of the user to authenticate (entered or from Shibboleth)
  • $password (string) – the password entered into the login form, empty in case of Shibboleth
  • $request (sfWebRequest) – the current web request

Creates a new AtoM user from Shibboleth data and assignes a random password

  • $request (sfWebRequest) – the current web request

QubitUser $user The newly created user.


Updates user’s access privileges from Shibboleth data

  • $user (QubitUser) – the current user
  • $request (sfWebRequest) – the current web request

Generate a username from the Shibboleth ePPN

  • $request (sfWebRequest) – the current web request

string $username the local part of the ePPN as username


Generates a random 25 character password. An additonal prepended string ensures compliance with tightend AtoM security policy.

Returns:string $andom String to be used as password.