John Erling Blad pointed us to this thread. I was not subscribed to the list, so I'm
sorry that this repond probably creates a new thread.
We, UNINETT, operates Feide, the norwegian Identity Federation for students from lower and
higher education and research institutions in Norway. Feide would allow services, like
Wikipedia, to verify end users (with some additional user data, like userid, email and
name etc) using the SAML 2.0 protocol. The end users will then login on their instituion
login page using their institutional credentials, they will also have single sign-on to
other sites.
We also maintain the software package SimpleSAMLphp, that implements the various roles in
the SAML 2.0 protocol architecture, including support for acting as a Service Provider,
which will be the relevant role for a service like Wikipedia. SimpleSAMLphp is implemented
in PHP, and while we are not maintaining mediawiki extensions to integrate with others, I
believe others have done some efforts:
http://www.mediawiki.org/wiki/Extension:MultiAuthPlugin
http://www.mediawiki.org/wiki/Extension:SAMLAuth
SimpleSAMLphp is one of many open source products implementing SAML.
We have a good contact network of other educational Identity Federations across the world,
and in particular Europe and US. We have been part of two initiatives for allowing service
provider to connect to a wide range of Identity Federations (at once), including GEANT
eduGAIN and Kalmar2.
http://www.geant.net/service/edugain/pages/home.aspx
https://www.kalmar2.org
Identity Federations, like Feide, can provide:
* verified accounts, something that may help controlling trolling.
* user convenience of not having to register or maintain another set of credentials, +
the convenience of SSO.
If you are interested in doing a pilot with connecting wikipedia to Feide, we may provide
you with further details to proceed with that.
The user centric Identity Federation paradigm, represented by protocols like OpenID (and
others), will (usually) not provide you with verified accounts, but still get you the user
convenience of SSO and re-use of existing account.
OpenID has went throuh a few versions, 1.0 and 2.0, and currently OpenID Connect is beeing
sorted out. OpenID Connect differs signficantly from earlier versions since it is built
upon OAuth (a good thing). We're also a bit involved with the OpenID Connect
standardization. As part of the GÉANT Identity Federation project in collaboration with
Kantara Initative, we will be responsible for implementing an automated interoperability
test facility for OpenID Connect, like this:
http://www.youtube.com/watch?v=3mGA79T0hPg
OAuth "alone" can not provide authentication of users to Wikipedia from external
sites. But, it can be used to grant a user authorization to wikpiedia content through a
back-channel REST API (without exposing credentials through this api). I believe that was
the idea that this thread started with, which seems like a very good idea, but a very
different idea than offering federated login. OAuth also exists in multiple versions, and
I think it would be reccomended to go for OAuth 2.0 for any new projects that have not
supported earlier versions of OAuth.
Andreas Åkre Solberg
UNINETT AS -
http://rnd.feide.no