How to automate single-sign-on across multiple apps?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

How to automate single-sign-on across multiple apps?

Matt England
Summary:

How to automate single-sign-on across multiple apps...on the MediaWiki-side
of things?


Details:

My project is making a collaboration web server that includes MediaWiki,
Bugzilla, phpBB forums, and other web-base applications.

We are trying to make our own single-login mechanism for all these
apps.  We appear to have an LDAP-based "back end" account database working
for the above apps, and we think we can make our own "one-stop"
registration page form where a user can register once and instantly get
accounts on all the above apps.

The trickier part:

How can we make a one-stop *login* page (different from registration page)
that can automatically login said user to all the above apps, so they don't
have to login manually to each one separately?

We presume we have to provide some sort of automation to make the above
apps auto-download cookies to the client browser for each app.

A coworker of mine suggested some sort or "front end" form that passes
login/password parameters to the "back end" forms to do this,
automatically.  I think he referred to this as "screen scraping" (although
I'm not sure of the nature or the meaning of that term).  Further, I'm not
sure I'm thrilled about having the password flying inside my server via a
URL, but alas it's a SSL-wrapped session, so maybe it doesn't matter.

In any case, I'm looking for suggestion on how to do this for MediaWiki.

Thanks for any help,
-Matt

_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: How to automate single-sign-on across multiple apps?

Matt England
Greg,

Thanks for the notes, they provide a great background.  (I'm reply to this
note so it can get in the list archive...because Greg's post below did not
appear to make it to the archive in a timely manner.)

-Matt

At 3/25/2006 11:30 AM, Gregory Szorc wrote:

>There are multiple ways to implement single sign-on (SSO).  The way you
>describe, a user goes to a URL, signs in, and gets logged in to other
>applications right there and then using HTTP calls on behalf of a
>user.  This is pretty insecure and a pain to implement.  It also doesn't
>scale very well.
>
>Another way to implement single sign-on is with a single sign-on server,
>which has a single sign-on protocol.  When a user logs in to any
>application using SSO, they get whisked away to the SSO server.  If they
>aren't logged in to the server, they get prompted for their
>credentials.   When they are logged in, they get signed in to the desired
>application.
>
>As for SSO servers, I recommend CAS
>(http://www.ja-sig.org/products/cas/).  It has clients for almost every
>language, including PHP, and the protocol is simple enough to create
>clients in other languages.  I have successfully deployed MediaWiki behind
>it.  It shouldn't be difficult getting it to work with the other
>applications either.
>
>Gregory Szorc
>[hidden email]
>
>Matt England wrote:
>>Summary:
>>How to automate single-sign-on across multiple apps...on the
>>MediaWiki-side of things?
>>
>>Details:
>>My project is making a collaboration web server that includes MediaWiki,
>>Bugzilla, phpBB forums, and other web-base applications.
>>We are trying to make our own single-login mechanism for all these
>>apps.  We appear to have an LDAP-based "back end" account database
>>working for the above apps, and we think we can make our own "one-stop"
>>registration page form where a user can register once and instantly get
>>accounts on all the above apps.
>>The trickier part:
>>How can we make a one-stop *login* page (different from registration
>>page) that can automatically login said user to all the above apps, so
>>they don't have to login manually to each one separately?
>>We presume we have to provide some sort of automation to make the above
>>apps auto-download cookies to the client browser for each app.
>>A coworker of mine suggested some sort or "front end" form that passes
>>login/password parameters to the "back end" forms to do this,
>>automatically.  I think he referred to this as "screen scraping"
>>(although I'm not sure of the nature or the meaning of that
>>term).  Further, I'm not sure I'm thrilled about having the password
>>flying inside my server via a URL, but alas it's a SSL-wrapped session,
>>so maybe it doesn't matter.
>>In any case, I'm looking for suggestion on how to do this for MediaWiki.
>>Thanks for any help,
>>-Matt
>>_______________________________________________
>>MediaWiki-l mailing list
>>[hidden email]
>>http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l