[tangent alert] On Tue, May 12, 2009 at 10:05:41AM +0200, Peter Schober wrote: [other good advice trimmed] > > > Your problem will be to make the various applications running under > > > Apache aware of the single sign-on. > > This is indeed as much an art as a science. Every self-respecting > application has it's own user store, authentication mechanism, login > form, session mechanism, etc. (which is understandable, since it can't > expect everyone to have the necessary parts already in place).
This much is inevitable. > So each and every application needs to be modified to rely on > externally provided authentication (preferrably via replying on > REMOTE_USER already being set by some mod_*), refrain from insisting > to collect username+password itself (and impersonate the user to other > services with them that way), possibly even "outsourcing" it's session > management (also take into account terminiating thise several > different sessions, one for the SSO system, one for the application, > with different timeouts, idle timeouts and consequences for the user > experience.) This is not inevitable and it is most unfortunate. Any self-respecting application which uses authentication ought not require us to hack it after the fact to use the methods required by its environment. A built-in authentication method ought to be separated from the main application by a plugin interface *from day one*, and it should be possible to simply leave it unplugged and plug in something else if you have one. We all should pay more attention to keeping authentication, authorization, and identity separate and to keeping their specific methods separable from the app.s we build. And we need to pound on this point with others who build app.s for us, until it goes in. I've lost count of the number of products which would have met our needs *except* that they had only a toy authentication mechanism wired in with no possibility of bypassing it. [end rant] -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents.
pgpgYBa1htWau.pgp
Description: PGP signature
