Central authentication?

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Central authentication?

Post by alex.barylski »

I have several systems. Only which is offers authentication services. All the others should use the main system to determine if a user has logged in.

Eahc system is potentially hosted on remote servers.

Is OpenID my best bet? Should I make my central server a OpenID provider and each of the other systems clients of this provider? Is this even possible or do I have use a known/existing provider?
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Central authentication?

Post by alex.barylski »

OK. So I read up on OpenID a little more and honestly I'm still kind of confused by the whole thing (me wishes Maugrim was around).

I have a web site which I want to be the central authority for several other web sites. Basically when someone visits any of these partner web sites and they are not authenticated I want them redirected back to the central authority where they will enter a OpenID.

Some articles I have read suggest a password is also "sometimes" nessecary. Why? I thought the OpenID was encrypted between requests and the ID was all you needed? When would a password come into play?

The central web site will also manage the users across the board. That is a super admin can deactivate anyone from logging into the system at any time or add a new user as well. How does OpenID meet this requirement? If I use a third party OpenID provider (MyOpenID.com for example) how does my central authority web site manage it's users and deactivate them accordingly? Would I not have to effectively mirror the user database stored on my provider web site in order to keep track of who is allowed and who is denied?

Because of this requirement would it not make more sense than to actually host an openID server on my central authrotiy web site so I had direct control over the users?
User avatar
ghurtado
Forum Contributor
Posts: 334
Joined: Wed Jul 23, 2008 12:19 pm

Re: Central authentication?

Post by ghurtado »

I don't know if OpenID would be the best solution to your problem, but you definitely need some type of identity federation (single sign on).

If the system required a password in some instances, well then it wouldn't be single sign on at all, right?

I believe the general principle behind most of these systems is that the requesting server forwards the authentication credentials to the central server, along with some unique client information, like the IP, user agent and so on..., so that the identity can be confirmed when a second satellite site requests credentials.
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: Central authentication?

Post by onion2k »

I don't think OpenID is the right solution for you. The point of OpenID is to let people use a single login for completely separate websites - as you control all the sites that this authentication system needs to use you don't need to have that sort of flexibility.

I would create a very standard user system for the central site and then create a web service that the other sites can use to authenticate users, update details, etc.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Central authentication?

Post by alex.barylski »

onion: I have to agree with you. The more I read of OpenID the it doesn't sound like it's the right fit. I think an LDAP server would make most sense. Although I don't really want each satellite application to login against a central store. I want them to somehow detect whether a user is logged in already (using propagated sessions or some kind of token) and just continue as normal, otherwise redirect to the central authority site.

Cheers :)
User avatar
ghurtado
Forum Contributor
Posts: 334
Joined: Wed Jul 23, 2008 12:19 pm

Re: Central authentication?

Post by ghurtado »

In that case, MySQL replication with master-slave severs might be what you need. I am assuming from your post you dont want host A to have to connect to the database server on host B to check whether the user has a session.
User avatar
VirtuosiMedia
Forum Contributor
Posts: 133
Joined: Thu Jun 12, 2008 6:16 pm

Re: Central authentication?

Post by VirtuosiMedia »

Have you looked at OAuth?
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Central authentication?

Post by alex.barylski »

OAuth...that was the other solution I was trying to remember...thank you...I will read up on it and see if it meets the requirements.

EDIT |
typical example offered by the spec (Appendix A) is when a user wants to print a photo stored on another site. The interaction goes something like this: the user signs into the printer website and place an order for prints. The printer website asks which photos to print and the user chooses the name of the site where her photos are stored (from the list of sites supported by the printer). The printer website sends the user to the photo site to grant access. At the photo site the user signs into her account and is asked if she really wants to share her photos with the printer. If she agrees, she is sent back to the printer site which can now access the photos. At no point did the user share her username and password with the printer site.
Sounds like the user needs to login at both sites... :(

I think I'll stick with my homemade solution.

Cheers :)
Post Reply