[TYPO3-typo3org] just a quick idea // authentification & authorisation & openid // oath server

Steffen Gebert steffen.gebert at typo3.org
Sat Apr 20 23:49:38 CEST 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Helmut,

>> I agree that the SSO solution is far from optimal.
>
> Can you elaborate on the issues you see with the current SSO solution?

* we have to implement it for every new application (as the chance that
some software supports it is near to zero ;-))
* users are updated only during login
* there's not a unique attribute to identify a user in all applications
  * every user has a different id in different applications
  * mostly the username is used to match a user during login
  * it is not possible for a user to change his/her username (because of
the previous point)
* sometimes users get created multiple times (in the redmine adapter)
* we have to cheat with applications where we can't easily use an SSO
adapter. E.g. for Gerrit we're using apache's external auth and call a
PHP script on typo3.org, which checks the username/password - that feels
not very clean.

>> In my dreams we have an LDAP directory.
>
> How would an LDAP directory would solve any of the issues?
> Would it introduce other issues?
An update to e.g. the email address would get promoted to the systems,
the uid is a unique identifier of an account, most of the applications
directly support LDAP auth...

>> One which works without synchronization?
>
> The issues I see are *not* on the server side, but on the client
> application side. I doubt that there is a single solution for all the
> applications in our infrastructure that need authentication.
> One App might support LDAP, the other OAuth, another one none of both.

I agree - like in TYPO3 where (AFAIK) no clean LDAP solution exists
(that would not synchronize to fe_users), LDAP wouldn't solve all
problems, if the application implements it badly.

Helmut, don't get me wrong. The DirectSSO works okay for us, personally
I don't feel so much pain that I want to get rid of it immediately, but
it has it's disadvantages - and until someone proves the opposite, my
experience with LDAP makes me believe that it would improve our setup.

Kind regards
Steffen

- -- 
Steffen Gebert
TYPO3 Server Administration Team Member

TYPO3 .... inspiring people to share!
Get involved: http://typo3.org

I work for TYPO3 solely in my spare time. If you think that
my work helps you running your business, you are invited to
send me a donation via PayPal to this email address. Thanks

On 4/20/13 10:42 AM, Helmut Hummel wrote:
> Hi,
> 
> rather than inventing something completely new, which will be a lot of
> work for both concept and implementation, I would suggest to look into
> the downsides of the current solution and improve it.
> 
> On 05.04.13 08:03, Steffen Gebert wrote:
> 
>> I agree that the SSO solution is far from optimal.
> 
> Can you elaborate on the issues you see with the current SSO solution?
> 
>> In my dreams we have an LDAP directory.
> 
> How would an LDAP directory would solve any of the issues?
> Would it introduce other issues?
> 
>> One which works without synchronization?
> 
> The issues I see are *not* on the server side, but on the client
> application side. I doubt that there is a single solution for all the
> applications in our infrastructure that need authentication.
> One App might support LDAP, the other OAuth, another one none of both.
> 
> Thus any (other) nice and fancy SSO Server solution would most likely
> still requure hacks on the client application side.
> 
>> SimpleSAML mentioned by Thomas sounds like a really nice addition to
>> that, as I'm sure that most of the applications don't offer an OAuth
>> integration, thus relying on only OAuth would force us to change from
>> custom SSO adapters to custom OAuth adapters.
> 
> Exactly.
> 
> 
> Kind regards,
> Helmut
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJRcw1yAAoJEIskG/rSlyw4tJgIAIvxQCgJ3LQ6F5FUpgNFqTPf
DcXpIjPBojV3uNtW5f9BZjKl0ipcklNatBs4XUzKvMwZlHP1uJ+0dQbFm8D89UAb
d3rz5JoYslATFg91oe2SEbFbRsYUGJRNiR3O29mfC5uw7SU+e3jgO59GBStr9FeP
vyPzDTGHT8ZQ3BPB3pERwBz9g+DWaABnqI46+QVEjOq9l6HUV2A6uRWpau8mIYzr
M8A3nD80RmE6YMGqSsERjO2OL56Tjpnd6oU6UaYfg8Z141QMXsWfyXf+LFXGH+FL
bqZTFpst5oIUuPcsXKUb9geRlrE1MfMkM0impJOtonU0919hSgkThWnuamsZGvI=
=qppy
-----END PGP SIGNATURE-----

More information about the TYPO3-team-typo3org mailing list