Artem Melentyev wrote:
> Hi, Markus.
>
> Markus Lanthaler wrote:
>> after evaluating possible frameworks I would propose to use OpenSSO [1] for
>> my GSOC SSO project.
>> It has full SAML 2.0 support, but lacks a bit regarding OpenID which isn't
>> supported by default. There is an extension which allows OpenSSO to act as a
>> OpenID 1.1 OP, but doesn't have RP support. OpenSSO has a very active and
>> large community (which maybe is the strongest argument to use it). There are
>> several requests for better OpenID support so I think that's a hot topic for
>> them and maybe it's possible to find some other developers with whom I can
>> add full OpenID 2.0 support.
>>
>> So now I'll start implementing RP support (authentication). As far as I
>> understand the code I have to implement a XWikiAuthService analogous to the
>> XWikiLDAPAuthServiceImpl, right?
>> I also have some more questions :-) Let's start with OpenID (I'll start with
>> that):
>>
>> 1.) I need to modify the login screen because I just need a field where the
>> user can enter his OpenID URL, no password field. Then the user is redirect
>> to his OpenID provider. How should/can I implement that?
You can change the login page (templates/login.vm). About the UI (both design
and implementation) we
can have a more detailed discussion later.
>> 2.) OpenIDs have to be bound to local user accounts (1:n relations, allow
>> more OpenIDs per account) - how should this happen? In the admin GUI? Who
>> should be allowed to do it?
>
> I think 1:1 relation is sufficient. No special need for 2 sso accounts
> for the same local user.
> Relation can be contained in new property of XWikiUsers class. ("ssourl"
> string property for example. or dblist property in case of 1:n relation)
I wouldn't add a new property to the XWikiUsers class; this leads to very thick
classes, like
XWikiPreferences, with properties used only in specific cases. I'd rather add a
new XClass, for
example XWiki.OpenIdAccount, and user profiles will have this kind of objects
attached.
>> 3.) What about user registration? Should it be possible for users to create
>> accounts without password and just OpenID?
>
> Yes. This is one of major advantages of sso. Isn't it?
> This is very useful for users which want simply add some comment and
> don't want to full register.
>
>> Please consider that XWiki should
>> also be able to act as a provider, i.e. act as an OpenID server.
>
> I think that provide new xwiki sso account for already sso users is
> useless :)
> We should not provide xwiki sso accounts for sso users without password
> in their xwiki user profile.
Well, I think this is about the other way around: provide SSO accounts for
XWiki users, so that
other applications can connect to XWiki. And I'm in favor of that.
Of course, as Artem said, there's no point in "mirroring" an external SSO
provider, at least not yet.
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
_______________________________________________
devs mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/devs
