CKAN plugin “cendari”

This plugin is used to enable Shibboleth Authentication including the interfacing with the CENDARI Data API for CKAN. The code is available on GitHub.

About the plugin

The plugin hooks into the authentication dialog. The dialog is extended to include a link to Shibboleth authentication.

If a user vists the login page while being authenticated with Shibboleth, his Shibboleth attributes are sent to the Data API’s POST /session endpoint. Thus user creationg is deferred to the CENDARI Data API and the plugin than simply logs in the user returned by the Data API. In the event that the API does not respond, the plugin checks wheter a CKAN user corresponding to the Shibboleth attributes exists and logs him in directly.

The plugin further supports the promoting of users to sysadmin status, should this be indicated by the Shibboleth attributes. To use the feature, add a line to CKAN’s configuration in the [app:main] section, defining groups to be checked against the user’s isMemberOf attribute:

shibboleth_sysadmin_groups = shib-admins shib-ckan-admins

To facilitate the Single-Sign-On experience, the login page is usually protected on the webserver level and thus never seen by a user. The CKAN internal user management is disabled so that changes can not be made.

Code Documentation

class cendari.plugin.CendariAuthPlugin(**kwargs)

Bases: ckan.plugins.core.SingletonPlugin

Main plugin class implemeting IConfigurer and IAuthenticator.

abort(status_code, detail, headers, comment)

Simply passes through an abort.




Extracts the logged in user from the pylons session.


Performs the actual login: takes Shibboleth data found by get_shib_data() and sends it to the CENDARI Data API.

The user returned by the API is logged in and the plugin verifies the sysadmin status against the Shibboleth data.

If the API does not respond, but a user with the right mail address exists in CKAN, this user is logged in.

Finally, a pylons session is created for session management.


Log out the user by destroying the pylons session and redirecting to Shibboleth logout.


Add our extended login form template with Shibboleth link to CKAN’s toolkit.


Extracts full name, email address and ePPN from Shibboleth data.

Returns:user_dict containing the data or None if no Shibboleth data is found.
cendari.plugin.verify_sysadmin_status(self, api_username)

Checks the shibboleth data for sysadmin privileges and grants or revokes them in CKAN accordingly.