On Tue, Mar 13, 2012 at 3:32 PM, John Erling Blad jeblad@gmail.com wrote:
So, since we're discussing SAML and OAuth and OpenID, and such, I should mention this:
It supports SAML, OpenID, OAuth, it's extendable and it supports multiple backends (LDAP, MySQL, etc). It is also localizable.
- Ryan
That one is interesting for the Norwegian Wikipedia community as it would make it possible to log into Wikipedia from the identity federation system used in Norwegian schools. That is we would be able to block individual students that are trolling instead of whole schools.
Good to know. :)
There's really two separate things that these systems can do.
The classic OAuth scenario is like this:
site A: Wikipedia user A site B: Huggle
Site B initiates a special login on site A using a shared secret; on success, site A passes back authentication tokens to site B which verify that user A allowed site B access.
Site B then uses those tokens when it accesses site A, in place of a username/password directly.
OpenID, SAML, etc seem to be more appropriate for this scenario:
site A: Wikipedia site B: University user B
These systems allow user B to verify their identity to site A; one possibility is to use this to associate a user A' with the remote user B, letting you use the remote ID verification in place of a local password authentication. (This is what our current OpenID extension does, basically.)
These are, IMO, totally separate use cases and I'm not sure they should be treated the same.
-- brion