Greg,
Thanks for the notes, they provide a great background. (I'm reply to this note so it can get in the list archive...because Greg's post below did not appear to make it to the archive in a timely manner.)
-Matt
At 3/25/2006 11:30 AM, Gregory Szorc wrote:
There are multiple ways to implement single sign-on (SSO). The way you describe, a user goes to a URL, signs in, and gets logged in to other applications right there and then using HTTP calls on behalf of a user. This is pretty insecure and a pain to implement. It also doesn't scale very well.
Another way to implement single sign-on is with a single sign-on server, which has a single sign-on protocol. When a user logs in to any application using SSO, they get whisked away to the SSO server. If they aren't logged in to the server, they get prompted for their credentials. When they are logged in, they get signed in to the desired application.
As for SSO servers, I recommend CAS (http://www.ja-sig.org/products/cas/). It has clients for almost every language, including PHP, and the protocol is simple enough to create clients in other languages. I have successfully deployed MediaWiki behind it. It shouldn't be difficult getting it to work with the other applications either.
Gregory Szorc gregory.szorc@case.edu
Matt England wrote:
Summary: How to automate single-sign-on across multiple apps...on the MediaWiki-side of things?
Details: My project is making a collaboration web server that includes MediaWiki, Bugzilla, phpBB forums, and other web-base applications. We are trying to make our own single-login mechanism for all these apps. We appear to have an LDAP-based "back end" account database working for the above apps, and we think we can make our own "one-stop" registration page form where a user can register once and instantly get accounts on all the above apps. The trickier part: How can we make a one-stop *login* page (different from registration page) that can automatically login said user to all the above apps, so they don't have to login manually to each one separately? We presume we have to provide some sort of automation to make the above apps auto-download cookies to the client browser for each app. A coworker of mine suggested some sort or "front end" form that passes login/password parameters to the "back end" forms to do this, automatically. I think he referred to this as "screen scraping" (although I'm not sure of the nature or the meaning of that term). Further, I'm not sure I'm thrilled about having the password flying inside my server via a URL, but alas it's a SSL-wrapped session, so maybe it doesn't matter. In any case, I'm looking for suggestion on how to do this for MediaWiki. Thanks for any help, -Matt _______________________________________________ MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l