[Meego-community] Single sign-on and user federation

Henri Bergius henri.bergius at iki.fi
Thu Feb 25 08:39:07 CST 2010 

Hi, all

One of the top priorities for MeeGo's web infrastructure from last
night's meeting was that all web services would have to implement SSO
with the main meego.com web service.

The way this is apparently implemented now is that Drupal's user
database is the "master record", and different tools must authenticate
against that.

This poses some problems:
* MeeGo will certainly have many different web tools in use (consider
bugzilla, mediawiki and whatever else we will have), and few of those
have working and properly supported Drupal authentication modules
* the issue above has already been evident in the fact that many users
have experienced problems editing anything in wiki.meego.com  because
something didn't sync (I had to revalidate my email address before it
worked for instance)
* also, it locks meego.com into a Drupal implementation even though we
may still want to discuss the "main CMS" choice in light of
experiences we've had with maemo.org, and various people in this
community have had with Drupal

So, I'd like to propose some alternatives for discussion, but before
that please note that we have to consider two different things:
* Single sign-on, i.e. making authentication on one meego.com web
service authenticate user to all the others as well
* User information federation, making sure all services contain or
access consistent information about all users

Maemo.org's SSO implementation
-------------------------------------------------

Last autumn we designed and developed a SSO and user federation setup
for maemo.org. It hasn't been deployed yet because we were waiting for
the new server infrastructure to come up (which it finally did in
January), but can still be deployed for the benefit for the whole
maemo.org community. And since the needs of that community are very
similar to the MeeGo one, the same solution could work there too.
http://wiki.maemo.org/Task:Single_sign-on

SSO: Central Authentication Service
A security ticket-based SSO system that has support for many
programming languages and ready-made modules for many of the web tools
MeeGo is bound to have, Drupal included
http://www.jasig.org/cas
http://en.wikipedia.org/wiki/Central_Authentication_Service

User federation: all services talk to a central user database via a REST API
We have an implementation of the user federation service in Midgard
available, and it can be run as separate from the public-facing web
infra. The central user database ensures both person details and
preferences can be reused across all maemo.org web services.
http://wiki.maemo.org/Task:Single_sign-on/UserManagement-API

OpenID and oAuth WRAP
-------------------------------------

OpenID and oAuth are reasonably new web authentication and identity
handling protocols. While they have some usability issues (that mostly
could be worked around by providing a nice "Authenticate via MeeGo"
button, think of the "Facebook Connect" buttons you see everywhere),
their benefit is that by using OpenID we could federate identities not
only across MeeGo services, but also with Google and other popular web
providers.

We already have an OpenID provider running on maemo.org that enables
users to automatically register and log into meego.com using their
Maemo login and identity.

http://arstechnica.com/open-source/guides/2010/01/oauth-and-oauth-wrap-defeating-the-password-anti-pattern.ars
http://bergie.iki.fi/blog/register_and_log_into_meego-com_using_your_maemo-org_account/
http://openidexplained.com/

Shibboleth
---------------

Shibboleth is another security ticket -based authentication protocol
that is fairly common in the university world. It also has the benefit
of providing a federated identity and authentication network where
meego.com could also trust maemo.org user authentication and vice
versa. It is slightly heavier to implement than CAS but is likely to
provide security benefits. We have some experience with Shibboleth
from various university web projects. Another benefit is that
Shibboleth can be used as an Apache authentication module meaning that
any web tool that supports Apache-level authentication can
authenticate via it out-of-the-box.

http://shibboleth.internet2.edu/
http://en.wikipedia.org/wiki/Shibboleth_(Internet2)

Comments appreciated. Since we're in the lucky position of being able
to make pretty wide-ranging architectural choices about MeeGo's web
infrastructure at this early stage, it would be good to spend a moment
deciding which SSO and identity framework to go with.

/Henri

-- 
Henri Bergius
Motorcycle Adventures and Free Software
http://bergie.iki.fi/

Skype: henribergius
Jabber: henri.bergius at gmail.com
Microblog: http://www.qaiku.com/home/bergie/

My Royal Enfield Bullet 500 is for sale, see http://www.nettimoto.com/844397

More information about the Meego-community mailing list