John Erling Blad pointed us to this thread. I was not subscribed to the list,
so I'm sorry that this repond probably creates a new thread.
We, UNINETT, operates Feide, the norwegian Identity Federation for students
from lower and higher education and research institutions in Norway. Feide
would allow services, like Wikipedia, to verify end users (with some additional
user data, like userid, email and name etc) using the SAML 2.0 protocol. The
end users will then login on their instituion login page using their
institutional credentials, they will also have single sign-on to other sites.
We also maintain the software package SimpleSAMLphp, that implements the
various roles in the SAML 2.0 protocol architecture, including support for
acting as a Service Provider, which will be the relevant role for a service
like Wikipedia. SimpleSAMLphp is implemented in PHP, and while we are not
maintaining mediawiki extensions to integrate with others, I believe others
have done some efforts:
http://www.mediawiki.org/wiki/Extension:MultiAuthPlugin
http://www.mediawiki.org/wiki/Extension:SAMLAuth
SimpleSAMLphp is one of many open source products implementing SAML.
We have a good contact network of other educational Identity Federations across
the world, and in particular Europe and US. We have been part of two
initiatives for allowing service provider to connect to a wide range of
Identity Federations (at once), including GEANT eduGAIN and Kalmar2.
http://www.geant.net/service/edugain/pages/home.aspx
https://www.kalmar2.org
Identity Federations, like Feide, can provide:
* verified accounts, something that may help controlling trolling.
* user convenience of not having to register or maintain another set of
credentials, + the convenience of SSO.
If you are interested in doing a pilot with connecting wikipedia to Feide, we
may provide you with further details to proceed with that.
The user centric Identity Federation paradigm, represented by protocols like
OpenID (and others), will (usually) not provide you with verified accounts, but
still get you the user convenience of SSO and re-use of existing account.
OpenID has went throuh a few versions, 1.0 and 2.0, and currently OpenID
Connect is beeing sorted out. OpenID Connect differs signficantly from earlier
versions since it is built upon OAuth (a good thing). We're also a bit involved
with the OpenID Connect standardization. As part of the GÉANT Identity
Federation project in collaboration with Kantara Initative, we will be
responsible for implementing an automated interoperability test facility for
OpenID Connect, like this: http://www.youtube.com/watch?v=3mGA79T0hPg
OAuth "alone" can not provide authentication of users to Wikipedia from
external sites. But, it can be used to grant a user authorization to wikpiedia
content through a back-channel REST API (without exposing credentials through
this api). I believe that was the idea that this thread started with, which
seems like a very good idea, but a very different idea than offering federated
login. OAuth also exists in multiple versions, and I think it would be
reccomended to go for OAuth 2.0 for any new projects that have not supported
earlier versions of OAuth.
Andreas Åkre Solberg
UNINETT AS - http://rnd.feide.no
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
