[Mediawiki-l] How to automate single-sign-on across multiple apps?
Matt England
mengland at mengland.net
Sun Mar 26 06:45:13 UTC 2006
Greg,
Thanks for the notes, they provide a great background. (I'm reply to this
note so it can get in the list archive...because Greg's post below did not
appear to make it to the archive in a timely manner.)
-Matt
At 3/25/2006 11:30 AM, Gregory Szorc wrote:
>There are multiple ways to implement single sign-on (SSO). The way you
>describe, a user goes to a URL, signs in, and gets logged in to other
>applications right there and then using HTTP calls on behalf of a
>user. This is pretty insecure and a pain to implement. It also doesn't
>scale very well.
>
>Another way to implement single sign-on is with a single sign-on server,
>which has a single sign-on protocol. When a user logs in to any
>application using SSO, they get whisked away to the SSO server. If they
>aren't logged in to the server, they get prompted for their
>credentials. When they are logged in, they get signed in to the desired
>application.
>
>As for SSO servers, I recommend CAS
>(http://www.ja-sig.org/products/cas/). It has clients for almost every
>language, including PHP, and the protocol is simple enough to create
>clients in other languages. I have successfully deployed MediaWiki behind
>it. It shouldn't be difficult getting it to work with the other
>applications either.
>
>Gregory Szorc
>gregory.szorc at case.edu
>
>Matt England wrote:
>>Summary:
>>How to automate single-sign-on across multiple apps...on the
>>MediaWiki-side of things?
>>
>>Details:
>>My project is making a collaboration web server that includes MediaWiki,
>>Bugzilla, phpBB forums, and other web-base applications.
>>We are trying to make our own single-login mechanism for all these
>>apps. We appear to have an LDAP-based "back end" account database
>>working for the above apps, and we think we can make our own "one-stop"
>>registration page form where a user can register once and instantly get
>>accounts on all the above apps.
>>The trickier part:
>>How can we make a one-stop *login* page (different from registration
>>page) that can automatically login said user to all the above apps, so
>>they don't have to login manually to each one separately?
>>We presume we have to provide some sort of automation to make the above
>>apps auto-download cookies to the client browser for each app.
>>A coworker of mine suggested some sort or "front end" form that passes
>>login/password parameters to the "back end" forms to do this,
>>automatically. I think he referred to this as "screen scraping"
>>(although I'm not sure of the nature or the meaning of that
>>term). Further, I'm not sure I'm thrilled about having the password
>>flying inside my server via a URL, but alas it's a SSL-wrapped session,
>>so maybe it doesn't matter.
>>In any case, I'm looking for suggestion on how to do this for MediaWiki.
>>Thanks for any help,
>>-Matt
>>_______________________________________________
>>MediaWiki-l mailing list
>>MediaWiki-l at Wikimedia.org
>>http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
More information about the MediaWiki-l
mailing list