By bonobo on

I'm in the midst of looking at different single sign on solutions, and I'm looking for some feedback on the relative advantages and disadvantages of the existing options -- and/or pointers toward resources I've overlooked.

Here are some of the options on my short list (in no particular order):

.

Currently, I'm looking most closely at OpenID and PubCookie. The eventual goal from all this is to create and document a system that allows single sign on between multiple Drupal sites, and Drupal sites and sites created in other open source apps. Ideally, these apps can reside on different servers, and in different domains (one of the key advantages of OpenID).

Thanks in advance for your ideas.

Bill

Categories: Drupal 4.6.x, Drupal 4.7.x

Comments

Boris Mann’s picture

Boris Mann commented

And SXIP, which in CVS has the SXIP 2.0 version which is completely open.

I've spoken before about how ideally we revamp the drupal module in the 4.8 cycle, potentially using OpenID as a basis.

Pubcookie only works on subdomains (i.e. foo.domain.com and bar.domain.com -- not otherdomain.com).

OpenID has large deployment already (LiveJournal) and is the most open, so I'd pick that one, today. SXIP includes concepts of profiles and being able to share that information, and the newest version is completely open source and is being led through the IETF.

Hope that helps.

bonobo’s picture

bonobo commented

Thanks, Boris,

The more I look into this, the more OpenID looks like a good way to go. I'll also check out SXIP.

I also need to read more about security with OpenID -- the only solutions that will work in education need to be fairly airtight -- I get the impression that OpenID is very secure, but many school administrators would not be comfortable with this statement (from http://openid.net) on security:

If someblog.com is playing by the rules, nobody else can fake your identity. Of course any site can lie, but what fun is a thousand people all saying they're Bill Gates, and message boards allowing it? So respectable sites (where you'd hang out) would play by the rules.

This seems like more of a language issue than a technological issue.

Thanks,

Bill
-------
http://www.funnymonkey.com
Tools for Teachers

-------
http://www.funnymonkey.com

Boris Mann’s picture

Boris Mann commented

The issue is one of trust relationships. Are you going to allow users from livejournal.com to authenticate? Or random person that runs their own OpenID server?

Basically, you can extend/restrict OpenID to only allow authentication from certain domains. That way, OpenID is basically as safe as DNS (which is pretty darn safe).

Lupin3rd’s picture

Lupin3rd commented

There is also the Sql authentication module.
I think that this forum topic is very usefull! Then we can try the modules and write relative advantages and disadvantages!

---
Visita drupal.it, la comunità italiana di Drupal.

sourlime’s picture

sourlime commented

I would love to see integration with OpenID, especially since it's not only supported by LiveJournal, but it's now also compatible with TypeKey. That means that by having OpenID support, you're already able to easily login people who are used to Moveable Type, TypePad. Plus, there's also a possibility (http://groups.google.com/group/bloggerDev/browse_thread/thread/a914e68e1...) that Blogger might eventually support OpenID as well.

What does that mean? That if you allow people to login using an OpenID account and they already have an account to post/comment on LiveJournal or Typepad, or through Moveable Type or hopefully Blogger, then they do not have to fill in a new registration form. And that covers a LOT of users, which makes me happy.

And for those who don't have an OpenID account, and who might be confused by the idea of registering at drupal, you can point them to a site like http://www.myopenid.com

I'm just starting to look around various CMS implementations - I usually just code my own sites from scratch 'cause I'm a control freak, and so far drupal is looking like the front runner for me - but OpenID support would absolutely make my day, because user commenting can be really important.

bonobo’s picture

bonobo commented

There is an OpenID module already coded, and I've been meeting with the team at JanRain about a project I'm working on that will incorporate OpenID -- they're the same folks who run the MyOpenID site linked to in the above thread -- additionally, they have finished code that allows OpenID authentication to carry personas from site to site, in addition to authentication info.

Over the next few weeks, there will be some NICE code and documentation coming out that will simplify setting up OpenID servers and client sites. It will open up a lot of possibilities, both for Drupal and other open source apps.

Cheers,

Bill

-------
http://www.funnymonkey.com
Tools for Teachers

-------
http://www.funnymonkey.com

metapunk’s picture

metapunk commented

Nice project.
I think that OpenID integration will really spark the potential usage of Drupal for Social Networking. That combined with tighter FOAF integration into profiles could result in a potential challenge to all of the centrallized tightly controlled and corporate ad driven social networks such as myspace/friendster etc. We just have to keep working on the code and also maybe come up with some good recipes for how to do this easily.

el777’s picture

el777 commented

Have you looked at L.A.S.S.O. - Liberty Alliance Single Sing On project?
It promices good standards support.

epicflux’s picture

epicflux commented

I'm not sure if anyone is checking this page anymore but I'd like to invite you to checkout my single sign-on module that works across multiple databases.

It's built specific to my case, but you might be able to use it as is. Since every site has specific needs you'll probably have to be knowledgeable of PHP & Drupal to make it work for you.

I 'd really like to get feedback on the module right now, like ideas on how it could be setup to be truly pluggin-play.

bonobo’s picture

bonobo commented

Why not release this on drupal.org?

You'll get more eyes looking over your code, and more feedback on your module.

Cheers,

Bill

-------
http://www.funnymonkey.com
Tools for Teachers

-------
http://www.funnymonkey.com

epicflux’s picture

epicflux commented

That's the plan, but it needs a lot more testing and refining before I take that step.

bonobo’s picture

bonobo commented

On your project page, you can specify that this is a work in progress, and that it not recommended for use on production sites.

You can also tag it as a dev release --

The sooner you release it out, the sooner you'll get more feedback.

Cheers,

Bill

-------
http://www.funnymonkey.com
Tools for Teachers

-------
http://www.funnymonkey.com