Various people have discussed the desirability of single-sign-on for Mediawiki installations. I'm interested in the same thing and have been working on that for a little bit.
So far: "It's working!" for 1.5rc4 ;-)
My questions: 1) Is there any place where people interested in this subject "hang out"? (like a wiki page somewhere, ...?) 2) Is this the right mailing list to discuss this?
Thanks,
Johannes.
Johannes Ernst
On 05/10/05, Johannes Ernst jernst+wikipedia.org@netmesh.us wrote:
Various people have discussed the desirability of single-sign-on for Mediawiki installations.
My questions:
- Is there any place where people interested in this subject "hang
out"? (like a wiki page somewhere, ...?)
Well, there's been a lot of discussion on "meta" - e.g. http://meta.wikimedia.org/wiki/Single_login - but most of it's been to-ing and fro-ing about how to transition all the existing wikis, rather than problems with implementing it per se...
- Is this the right mailing list to discuss this?
I'd have thought so - there's mediawiki-l for mainly "end user" type issues, and this one for more "nitty gritty" issues. The distinction's not very clear, though, and this kind of overlaps, really.
-- Rowan Collins BSc [IMSoP]
- Is this the right mailing list to discuss this?
According to http://en.wikipedia.org/wiki/Wikipedia:Mailing_lists, this list is 'for any WikiMedia development issues, technical discussions, ..." which is what I'd like to discuss.
MediaWiki-l seems to be "for people with questions about their own installation of MediaWiki" which isn't really what I have in mind.
Johannes Ernst
On 05/10/05, Johannes Ernst jernst+wikipedia.org@netmesh.us wrote:
- Is this the right mailing list to discuss this?
According to http://en.wikipedia.org/wiki/Wikipedia:Mailing_lists, this list is 'for any WikiMedia development issues, technical discussions, ..." which is what I'd like to discuss.
Hm... note that "Wikimedia" (a foundation, and the projects it runs) is not the same as "MediaWiki" (a piece of software). Whenever I see "WikiMedia", I suspect something of getting mangled, or somebody of getting confused, because the foundation doesn't capitalise itself that way, so it's like a cross between the two(!) See http://meta.wikimedia.org/wiki/Names
-- Rowan Collins BSc [IMSoP]
I heard three different views on SSO wrt MediaWiki/WikiPedia so far:
1) The different Wikipedia sites (e.g. en.wikipedia.org and de.wikipedia.org) should require a user only to log on once. Once logged on the user should be known across those Wikipedia sites (and only those).
2) A MediaWiki installation (e.g. in an enterprise) would like the MediaWiki user management subsystem to participate in an SSO environment (e.g. an enterprise single-sign-on system). Auth_Plugin.php and various LDAP projects seem to have made some headway there.
3) A Wikipedia user (and any MediaWiki user) should be able to "bring their own" identity, which MediaWiki software should recognize. The advantage of this is that it includes the previous two items as special cases -- and because there's nothing special about Mediawiki with respect to logins: every website has that problem, and would like the problem to go away.
I'm interested in #3, specifically using URL-based personal digital identities (such as the URL of their blog). How would one practically go about doing this? [I'm new to how the wikipedia software projects typically work out]
Some background is here: http://cis-berkman.editme.com/ http://openid.net/ http://lid.netmesh.org/wiki/Main_Page
Thank you,
Johannes Ernst
Hi Johannes,
I'm not part of the core development team (in fact, I've only submitted a couple relatively insignificant patches). However, this is an issue I've been tracking pretty closely. Nevertheless, don't take this as anything other than as the very possibly incorrect observations of a fringe participant.
The SSO activity has been somewhat dormant for a couple months now, but is probably can be resurrected if someone (you?) volunteers to shepherd the effort. My understanding is that Brion would like to implement an AuthPlugin for SSO. OpenID/LID/etc would be a probably be a phase two sorta thing; phase one is reserved for intra-Wikimedia SSO.
If someone (you?) were to say, implement a LID server and client for MediaWiki, that would give it a big head start over other potential solutions. It wouldn't be the simplest solution to intra-Wikimedia SSO, but it would work, assuming that the LID libraries are mature enough to deal with Wikimedia's demands. If such a solution were to get substantial testing outside of the Wikimedia realm of servers, that would be a big argument for the maturity of the solution.
I myself was working on this type of thing a lot more a couple of months ago, but put that work on hold to work on a MediaWiki election plugin I'm close to releasing. I'll eventually want to return to auth work, but don't see that happening in the next month or two.
Rob
On Wed, 2005-10-05 at 12:55 -0700, Johannes Ernst wrote:
I heard three different views on SSO wrt MediaWiki/WikiPedia so far:
- The different Wikipedia sites (e.g. en.wikipedia.org and
de.wikipedia.org) should require a user only to log on once. Once logged on the user should be known across those Wikipedia sites (and only those).
- A MediaWiki installation (e.g. in an enterprise) would like the
MediaWiki user management subsystem to participate in an SSO environment (e.g. an enterprise single-sign-on system). Auth_Plugin.php and various LDAP projects seem to have made some headway there.
- A Wikipedia user (and any MediaWiki user) should be able to "bring
their own" identity, which MediaWiki software should recognize. The advantage of this is that it includes the previous two items as special cases -- and because there's nothing special about Mediawiki with respect to logins: every website has that problem, and would like the problem to go away.
I'm interested in #3, specifically using URL-based personal digital identities (such as the URL of their blog). How would one practically go about doing this? [I'm new to how the wikipedia software projects typically work out]
Some background is here: http://cis-berkman.editme.com/ http://openid.net/ http://lid.netmesh.org/wiki/Main_Page
Thank you,
Johannes Ernst
Wikitech-l mailing list Wikitech-l@wikimedia.org http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Hi Rob,
The SSO activity has been somewhat dormant for a couple months now, but is probably can be resurrected if someone (you?) volunteers to shepherd the effort.
As it turns out, Dan Libby of videntity.org just 20 minutes ago published a MediaWiki patch to allow for OpenID-based SSO.
http://wiki.www.videntity.org/wiki/MediaWiki_OpenID_Patch
If someone (you?) were to say, implement a LID server and client for MediaWiki, that would give it a big head start over other potential solutions.
You are probably right, but from my perspective, this isn't a matter of a "land grab" before "the other guy" gets too much market share with their protocol, whatever it may be ;-) [I might be exaggerating your point here ...]
In my mind, the question is "what can we do to reduce the number of usernames and passwords that users have to use, how can be increase user convenience, how can we reduce spam and other bad stuff, how can we build cool new social stuff" on top of what hopefully will be a globally interoperable, privacy-protected, user-controlled identity infrastructure that pretty much everybody can buy into. We're trying to proactively do our part here ...
It wouldn't be the simplest solution to intra-Wikimedia SSO, but it would work, assuming that the LID libraries are mature enough to deal with Wikimedia's demands. If such a solution were to get substantial testing outside of the Wikimedia realm of servers, that would be a big argument for the maturity of the solution.
You are making a good point, and this is one of the reasons I posted to the list here -- how would one get any of this deployed with acceptably low risk to the operation of wikipedia? And for my own better understanding: how has that been done in the past by this project?
Cheers,
Johannes Ernst
Johannes Ernst wrote:
Various people have discussed the desirability of single-sign-on for Mediawiki installations. I'm interested in the same thing and have been working on that for a little bit.
So far: "It's working!" for 1.5rc4 ;-)
Well there is some code for single signon already, commited in August 2004 (so most probably available since 1.4.x).
The parameter is $wgSharedDB , should be set to a database name in wich is a shared 'user' table. Seems experimental (read: wikipedia does not use it).
The code from HEAD includes/Database.php :
function tableName( $name ) { <snip> if ( isset( $wgSharedDB ) && "{$this->mTablePrefix}user" == $name ) { $name = "`$wgSharedDB`.`$name`"; } else { # Standard quoting $name = "`$name`"; } <snip> return $name;
My questions:
- Is there any place where people interested in this subject "hang
out"? (like a wiki page somewhere, ...?) 2) Is this the right mailing list to discuss this?
You can find some kind of hackers in the MediaWiki-l mailing list, most developers read it and _at least_ Brion (our release manager) answer ;)
You are actually posting on wikitech-l which is for WikiMedia setup issues (same people, different issues).
cheers,
Ashar Voultoiz <hashar@...> writes:
Johannes Ernst wrote:
Various people have discussed the desirability of single-sign-on for Mediawiki installations. I'm interested in the same thing and have been working on that for a little bit.
So far: "It's working!" for 1.5rc4
Well there is some code for single signon already, commited in August 2004 (so most probably available since 1.4.x).
The parameter is $wgSharedDB , should be set to a database name in wich is a shared 'user' table. Seems experimental (read: wikipedia does not use it).
The code from HEAD includes/Database.php :
function tableName( $name ) {
<snip> if ( isset( $wgSharedDB ) && "{$this->mTablePrefix}user" == $name ) { $name = "`$wgSharedDB`.`$name`"; } else { # Standard quoting $name = "`$name`"; } <snip> return $name;
My questions:
- Is there any place where people interested in this subject "hang
out"? (like a wiki page somewhere, ...?) 2) Is this the right mailing list to discuss this?
You can find some kind of hackers in the MediaWiki-l mailing list, most developers read it and _at least_ Brion (our release manager) answer ;)
You are actually posting on wikitech-l which is for WikiMedia setup issues (same people, different issues).
cheers,
There is also the possibility of using LDAP as an authentication source, and pointing wikis at the LDAP servers. It is possible to break up the LDAP structure into multiple OUs or domains (with OUs being preferred) for transitional purposes.
Using LDAP could also move the authentication load off the databases, and onto the LDAP servers.
I have written a patch for MediaWiki that supports the multiple domain model (but could be extended for the multiple OU model). It is currently most useful for small to large sized internal wikis, but with some tweeking could work in much larger situations. This patch is currently being used for authentication only, but people are adding support for group based authorization, and user based rights.
I'm not trying to push this as a definate solution, but definately as a possible solution.
V/r,
Ryan Lane
wikitech-l@lists.wikimedia.org