16 Jun
2008
16 Jun
'08
3:27 p.m.
Artem Melentyev wrote:
I wouldn't add a new property to the XWikiUsers class; this leads to very thick
classes, like
XWikiPreferences, with properties used only in specific cases. I'd rather add a new
XClass, for
example XWiki.OpenIdAccount, and user profiles will have this kind of objects attached.
Well, I think this is about the other way around: provide SSO accounts for XWiki users, so
that
other applications can connect to XWiki. And I'm in favor of that.
Of course, as Artem said, there's no point in "mirroring" an external SSO
provider, at least not yet.
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
Hi, Markus.
Markus Lanthaler wrote:
> after evaluating possible frameworks I would propose to use OpenSSO [1] for
> my GSOC SSO project.
> It has full SAML 2.0 support, but lacks a bit regarding OpenID which isn't
> supported by default. There is an extension which allows OpenSSO to act as a
> OpenID 1.1 OP, but doesn't have RP support. OpenSSO has a very active and
> large community (which maybe is the strongest argument to use it). There are
> several requests for better OpenID support so I think that's a hot topic for
> them and maybe it's possible to find some other developers with whom I can
> add full OpenID 2.0 support.
>
> So now I'll start implementing RP support (authentication). As far as I
> understand the code I have to implement a XWikiAuthService analogous to the
> XWikiLDAPAuthServiceImpl, right?
> I also have some more questions :-) Let's start with OpenID (I'll start with
> that):
>
> 1.) I need to modify the login screen because I just need a field where the
> user can enter his OpenID URL, no password field. Then the user is redirect
> to his OpenID provider. How should/can I implement that?
You can change the login page (templates/login.vm). About the UI (both design and
implementation) we
can have a more detailed discussion later.
2.) OpenIDs
have to be bound to local user accounts (1:n relations, allow
more OpenIDs per account) - how should this happen? In the admin GUI? Who
should be allowed to do it?
I think 1:1 relation is sufficient. No special need for 2 sso accounts
for the same local user.
Relation can be contained in new property of XWikiUsers class. ("ssourl"
string property for example. or dblist property in case of 1:n relation) 3.) What about
user registration? Should it be possible for users to create
accounts without password and just OpenID?
Yes. This is one of major advantages of sso. Isn't it?
This is very useful for users which want simply add some comment and
don't want to full register.
Please consider that XWiki should
also be able to act as a provider, i.e. act as an OpenID server.
I think that provide new xwiki sso account for already sso users is
useless :)
We should not provide xwiki sso accounts for sso users without password
in their xwiki user profile.