[Mediawiki-l] How to automate single-sign-on across multiple apps?

Matt England mengland at mengland.net
Sun Mar 26 06:45:13 UTC 2006


Thanks for the notes, they provide a great background.  (I'm reply to this 
note so it can get in the list archive...because Greg's post below did not 
appear to make it to the archive in a timely manner.)


At 3/25/2006 11:30 AM, Gregory Szorc wrote:
>There are multiple ways to implement single sign-on (SSO).  The way you 
>describe, a user goes to a URL, signs in, and gets logged in to other 
>applications right there and then using HTTP calls on behalf of a 
>user.  This is pretty insecure and a pain to implement.  It also doesn't 
>scale very well.
>Another way to implement single sign-on is with a single sign-on server, 
>which has a single sign-on protocol.  When a user logs in to any 
>application using SSO, they get whisked away to the SSO server.  If they 
>aren't logged in to the server, they get prompted for their 
>credentials.   When they are logged in, they get signed in to the desired 
>As for SSO servers, I recommend CAS 
>(http://www.ja-sig.org/products/cas/).  It has clients for almost every 
>language, including PHP, and the protocol is simple enough to create 
>clients in other languages.  I have successfully deployed MediaWiki behind 
>it.  It shouldn't be difficult getting it to work with the other 
>applications either.
>Gregory Szorc
>gregory.szorc at case.edu
>Matt England wrote:
>>How to automate single-sign-on across multiple apps...on the 
>>MediaWiki-side of things?
>>My project is making a collaboration web server that includes MediaWiki, 
>>Bugzilla, phpBB forums, and other web-base applications.
>>We are trying to make our own single-login mechanism for all these 
>>apps.  We appear to have an LDAP-based "back end" account database 
>>working for the above apps, and we think we can make our own "one-stop" 
>>registration page form where a user can register once and instantly get 
>>accounts on all the above apps.
>>The trickier part:
>>How can we make a one-stop *login* page (different from registration 
>>page) that can automatically login said user to all the above apps, so 
>>they don't have to login manually to each one separately?
>>We presume we have to provide some sort of automation to make the above 
>>apps auto-download cookies to the client browser for each app.
>>A coworker of mine suggested some sort or "front end" form that passes 
>>login/password parameters to the "back end" forms to do this, 
>>automatically.  I think he referred to this as "screen scraping" 
>>(although I'm not sure of the nature or the meaning of that 
>>term).  Further, I'm not sure I'm thrilled about having the password 
>>flying inside my server via a URL, but alas it's a SSL-wrapped session, 
>>so maybe it doesn't matter.
>>In any case, I'm looking for suggestion on how to do this for MediaWiki.
>>Thanks for any help,
>>MediaWiki-l mailing list
>>MediaWiki-l at Wikimedia.org

More information about the MediaWiki-l mailing list