Re^2: Single Sign-On?

If I understand M$ Passport correctly, they have a centralized registry that manages all user authentication. That is obviously not good.

However, it does not have to be this way, it can be a federated system consisting of a number of identity providers, and an even greater number of web sites that accept login authentication from at least some of those providers. For example CPAN forum could have a button in addition to its login box that PerlMonks can just click and they will be logged in using the PerlMonks system. They could have another such button for Slashdotters. This would not create any new "trusted third parties".

Comment on Re^2: Single Sign-On?

Replies are listed 'Best First'.
Re^3: Single Sign-On? by thor (Priest) on Mar 06, 2005 at 15:32 UTC
Just so I understand you correctly, you're suggesting having x-odd buttons on every sites' main page, each one saying "log me in with my perlmonks account", "log me in with my CPAN account", "log me in with my foobar account"? This is MS Passport, except that instead of a one-to-many relationship, you have a many-to-many relationship. Also, it would probably require a major infrastructure change so that external sites can try to authenticate against your login credentials. thor `Feel the white light, the light within Be your own disciple, fan the sparks of will For all of us waiting, your kingdom will come`	[reply]
Re^4: Single Sign-On? by jhourcle (Prior) on Mar 06, 2005 at 16:56 UTC
In that sort of a situation, you wouldn't use a seperate button for each one -- you'd have some way in the login id to specify if it were a remote id. Most rent-a-POPs use this. (The companies that rent out modem banks, so that other ISPs can claim to have 'nationwide' coverage). If you have to log in as `user@domain` or `user/domain` you've probably gone through one of these -- when the radius server that you're authenticating off of see the domain, it checks to see if it's a domain that it knows about, and if it is, it uses whatever authentication check is necessary to authenticate in that domain. So, I might log in as `ONEIROS@PAUSE` or `oneiros@perl.org` or `jhourcle/perlmonks` or `whatever_my_local_userid_is_without_a_domain` or however the system handled things. You're right, however, in that there is n*(n-1) complexity for the system administrator, as each of the n sysadmins needs to know how to authenticate to n-1 other systems -- but it doesn't require a seperate login blank for each one, or a button for each one.	[reply] [d/l] [select]
Re^3: Single Sign-On? by gaal (Parson) on May 20, 2005 at 06:29 UTC
You may be interested in looking into OpenID. It's just started, but there are some serious folks working on it.	[reply]
Re^3: Single Sign-On? by elwarren (Priest) on Apr 04, 2005 at 16:37 UTC
Username conflict is the biggest problem with this, unless the system is designed that way from the beginning. I think CPAN->PerlMonks is a bit of a stretch, but I don't think it would (incredibly) difficult to have shared logins across a shared codebase like PerlMonks to Slashdot to Everything to JavaJunkies.	[reply]