Download & Extend
Site Network » Issues

Single Sign On

Posted by brmassa on September 12, 2008 at 7:50am
Project:Site Network
Version:6.x-1.x-dev
Component:Code
Category:feature request
Priority:normal
Assigned:Unassigned
Status:closed (fixed)

Issue Summary

Guys,

im trying to create a way to support a single sign on feature for Drupal sites. I will explain now, using as examples drupal.org (DO) and groups.durpal.org (GDO). Lets say that we now want to centralize the user accounts on DO. And when the user enters on GDO, it automatically logs the user, if he is already logged on DO. I will try to explain it, adding more and more levels and complexity.

Method - short version

on GDO, the hook_init see if the user is anonymous and $SESSION['drupal_sso'] is not set. If so, set it as TRUE and redirect the user to drupal.org/sso with the session_id as a GET value. The DO checks if the user is logged and if not, return to groups.drupal.org/sso_notlogged, but if he was, return to drupal.org/sso_logged,with both session_id and user_id again. So GDO will log the user on GDO!

Security - Communication

Since the method exchange information on the internet, it MUST use HTTPS to protect the information.

Security - Permission

The GDO is allowed to get such information? If another site tries to do the same, it will work?

The answer for these questions is called OAuth. Well, part of it. Let me explain: the module will implement a new user permission on DO, allowing only a few users to have an external site that will integrate is DO like this. Possible, the only user is the admin himself. He will get on his account page a computer generated key. He must save this key on GDO, which he is also the admin. This key will be used to create a hash of the GET values during communication. So the GDO will send to DO: session_id, the ADMIN USER ID and a hash value for both userID and SessionID. When the DO gets the message load the userid and its key and and test the values against the hash, it will be sure: 1* if the site is allowed to use the SSO service 2* the site is really the user (because the site have the secret key too).

Further

There are some other things that i planned, some details, but its better to write about them later. I just want to know if the method is worthed or have a fundamental flaw.

regards,

massa

Login or register to post comments

Comments

#1

Posted by brmassa on September 14, 2008 at 8:54am
Status:active» closed (fixed)