Forums / Developer / Possible Single Sign-On Method (Suggestions Welcome!)

Possible Single Sign-On Method (Suggestions Welcome!)

Author Message

Chad Paulson

Monday 26 November 2007 3:32:30 pm

Background: We have 2 siteaccesses (we'll use Site A and Site B to describe both sites) running under the same ez Publish install. We would like to implement a single sign-on / registration point which will accommodate all registration, authentication, and basic account maintenance (forgot user/pass, change password, change email) for Site A, Site B, and all 3rd party software (vBulletin, Mantis, etc).

After reviewing various options (LDAP, open ID, etc), I have a solution in mind that would allow my organization to stick with the dynamic profile generation methodology that we currently have implemented while, at the same time, allow us the flexibility to accommodate various 3rd party software solutions that require their own user tables.

This proposed solution would work in the following ways.

User Registration:
1) User registers at Site A or Site B.
2) User is sent a verification email
3) User fulfills verification requirements
4) Successful user verification triggers dynamic profile generation (currently exists).
5) User verification also triggers user creation in all 3rd party applications (vBulletin, Mantis, etc) via custom import scripts.

User Login:
1) User signs on via Site A or Site B.
2) Custom login handler will set session data for all 3rd party applications (There may be a better way to do this, I welcome all suggestions).

User Edit:
1) User will be redirected to Site A or Site B for the edit tasks listed below. Upon verification / completion, triggers will modify all 3rd party user tables to keep email and password (and any other relevant account information) in sync.
- Forgot user/pass
- Change password
- Change email address

2) Any 3rd party application specific edit functions will be handled by the application.

I hope I have given a clear overview, as well as covered all of the bases. The philosophy behind this implementation allows for a single point of authentication while minimizing 3rd party application hacks and plugins. This should allow for easier 3rd party application maintenance / upgrades (especially crucial to keep forum software secure and up to date).

Thanks in advance!

Laurent BOURREL

Monday 26 November 2007 11:36:49 pm

Hi,

Can't you use a SSO API like CAS ?
There's a contrib on it, perhaps you should look at it :
http://ez.no/developer/contribs/applications/smile_cas

Chad Paulson

Tuesday 27 November 2007 7:30:10 am

Thanks for the suggestion. I have looked at similar solutions. The reason I am not completely sold on solutions such as CAS and LDAP is largely due to the fact that accounts need to be automatically generated on the 3rd party software side (software such as vBulletin, Mantis). When a user registers on either of our ez Publish sites (Site A or Site B), they must also have access to vBulletin and Mantis.

Therefore, it's not just a single sign-on solution I am looking for, but an account generation / synchronization also.

Please let me know if my proposal falls out of line with best practices, as that is my main concern. Thanks again.

Yudi Setiawan

Sunday 06 April 2008 7:53:38 pm

Dear Chad,

I'm a newbie.
Have you found any solution yet to this issue?
Kindly please share.
I also planned to integrate eZ Publish with Mantis.

Thank you.