This could be improved by a plugin that used their Windows user as a source for single sign-on.
My conclusion is that it is possible to have good integration and ease of use without being insecure.
Sure thing. If you restrict yourself to Internet Explorer, one could use some kind of NTLM/MediaWiki authentication bridge to effective achieve transparent SSO.
I'm just saying that I don't like the idea of letting people say "Oh yeah - I'm that guy" without providing any evidence (password). Even in a corporate environment. But that's just me - I'm paranoid. :)
-- Jim
On 3/9/07, Fernando Correia fernandoacorreia@gmail.com wrote:
2007/3/9, Thomas Dalton thomas.dalton@gmail.com:
Identification implies authentication. Otherwise, how do you
distinguish
between the real PersonA and PersonA's malicious impersonator?
I think the idea is that the only people with access to his wiki are employees, and he trusts them not to impersonate eachother.
One procedure that works well in out environment is this: we use an authentication plugin so that users that are already logged in to our Intranet portal can click on a link that logs them in on the wiki. They are added to the wiki user table on the fly if needed. They don't have to identify themselves again (single sign-on).
If they want to access a wiki page directly through a link, that also works because we used the "remember me" option in the login form that was called behind the scenes.
In the worst case scenario, if the explicitly log out of the wiki and then access a direct link to a page, they have to identify themselves, but just once, because their login will be remembered.
This could be improved by a plugin that used their Windows user as a source for single sign-on.
My conclusion is that it is possible to have good integration and ease of use without being insecure.
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l