On Tue, Mar 13, 2012 at 3:32 PM, John Erling Blad <jeblad(a)gmail.com> wrote:
So, since
we're discussing SAML and OAuth and OpenID, and such, I
should mention this:
http://simplesamlphp.org/
It supports SAML, OpenID, OAuth, it's extendable and it supports
multiple backends (LDAP, MySQL, etc). It is also localizable.
- Ryan
That one is interesting for the Norwegian Wikipedia community as it
would make it possible to log into Wikipedia from the identity
federation system used in Norwegian schools. That is we would be able
to block individual students that are trolling instead of whole
schools.
Good to know. :)
There's really two separate things that these systems can do.
The classic OAuth scenario is like this:
site A: Wikipedia
user A
site B: Huggle
Site B initiates a special login on site A using a shared secret; on
success, site A passes back authentication tokens to site B which verify
that user A allowed site B access.
Site B then uses those tokens when it accesses site A, in place of a
username/password directly.
OpenID, SAML, etc seem to be more appropriate for this scenario:
site A: Wikipedia
site B: University
user B
These systems allow user B to verify their identity to site A; one
possibility is to use this to associate a user A' with the remote user B,
letting you use the remote ID verification in place of a local password
authentication. (This is what our current OpenID extension does, basically.)
These are, IMO, totally separate use cases and I'm not sure they should be
treated the same.
-- brion