Greg,
Thanks for the notes, they provide a great background. (I'm reply to this
note so it can get in the list archive...because Greg's post below did not
appear to make it to the archive in a timely manner.)
-Matt
At 3/25/2006 11:30 AM, Gregory Szorc wrote:
There are multiple ways to implement single sign-on
(SSO). The way you
describe, a user goes to a URL, signs in, and gets logged in to other
applications right there and then using HTTP calls on behalf of a
user. This is pretty insecure and a pain to implement. It also doesn't
scale very well.
Another way to implement single sign-on is with a single sign-on server,
which has a single sign-on protocol. When a user logs in to any
application using SSO, they get whisked away to the SSO server. If they
aren't logged in to the server, they get prompted for their
credentials. When they are logged in, they get signed in to the desired
application.
As for SSO servers, I recommend CAS
(
http://www.ja-sig.org/products/cas/). It has clients for almost every
language, including PHP, and the protocol is simple enough to create
clients in other languages. I have successfully deployed MediaWiki behind
it. It shouldn't be difficult getting it to work with the other
applications either.
Gregory Szorc
gregory.szorc(a)case.edu
Matt England wrote:
>Summary:
>How to automate single-sign-on across multiple apps...on the
>MediaWiki-side of things?
>
>Details:
>My project is making a collaboration web server that includes MediaWiki,
>Bugzilla, phpBB forums, and other web-base applications.
>We are trying to make our own single-login mechanism for all these
>apps. We appear to have an LDAP-based "back end" account database
>working for the above apps, and we think we can make our own "one-stop"
>registration page form where a user can register once and instantly get
>accounts on all the above apps.
>The trickier part:
>How can we make a one-stop *login* page (different from registration
>page) that can automatically login said user to all the above apps, so
>they don't have to login manually to each one separately?
>We presume we have to provide some sort of automation to make the above
>apps auto-download cookies to the client browser for each app.
>A coworker of mine suggested some sort or "front end" form that passes
>login/password parameters to the "back end" forms to do this,
>automatically. I think he referred to this as "screen scraping"
>(although I'm not sure of the nature or the meaning of that
>term). Further, I'm not sure I'm thrilled about having the password
>flying inside my server via a URL, but alas it's a SSL-wrapped session,
>so maybe it doesn't matter.
>In any case, I'm looking for suggestion on how to do this for MediaWiki.
>Thanks for any help,
>-Matt
>_______________________________________________
>MediaWiki-l mailing list
>MediaWiki-l(a)Wikimedia.org
>http://mail.wikipedia.org/mailman/listinfo/mediawiki-l