CKAN plugin “dariahshibboleth”

This plugin is used to enable Shibboleth Authentication in CKAN. The code is available on GitHub.

About the plugin

The plugin hooks into the authentication dialog. The dialog is extended to include a link to Shibboleth authentication.

If a user vists the login page while being authenticated with Shibboleth, he is logged in to CKAN. In case the user does not yet exists in CKAN, an account is created.

On every login, the user’s mail address and full name are matched to the Shibboleth data and updated if neccessary.

To facilitate the Single-Sign-On experience, the login page is usually protected on the webserver level and thus never seen by a user. The CKAN internal user management is disabled so that changes can not be made.

Code Documentation

class dariahshibboleth.plugin.DariahShibbolethPlugin(**kwargs)

Bases: ckan.plugins.core.SingletonPlugin

Main plugin class implemeting IConfigurer and IAuthenticator.

abort(status_code, detail, headers, comment)

Simply passes through an abort.




Extracts the logged in user from the pylons session.


Performs the actual login, if Shibboleth data is found by get_shib_data().

If the a CKAN user with the ePPN does not exist, he is created. Otherwise full name and mail address are updated if neccessary.

Finally, a pylons session is created for session management.


Log out the user by destroying the pylons session and redirecting to Shibboleth logout.


Add our extended login form template with Shibboleth link to CKAN’s toolkit.


Returns a valid username by defaulting to the ePPN’s local part. This is not federation-ready!

Parameters:eppn – The ePPN to extract the username from.
Returns:Lower cased local part of ePPN.

Extracts full name, email address and ePPN from Shibboleth data.

Returns:user_dict containing the data or None if no Shibboleth data is found.

Look up CKAN user by ePPN.

Parameters:eppn – String holding the ePPN to look up.
Returns:user_dict of the user or None.

Create a CKAN style hash from an email.

Parameters:email – The email address to hash.
Returns:hex encoded md5 hash of the normalized email.