Is there any way that I can integrate the UserCake user management system with MediaWiki? I want to link the accounts in each system so users can log into both with the same username and password.
There is no existing system to do this. You can create an extension for MediaWiki to do this without too much trouble. Basing it off an existing extension is probably a good starting point. By looking at AuthJoomla, AuthBugzilla and AuthSymfony you should get a good idea of how MediaWiki's authentication extension API operates. It's really just a matter of creating the class, getting it to call the relevant UC functions and then loading it as an extension into MW.
Having said that, UserCake seems unmaintained. It may be worth taking this opportunity to migrate your users to another authentication system. If you are using credentials between several applications you might want to look at something like LDAP.
I know that this is a really old question, but UserSpice is the fully PDO/OOP spiritual successor to UserCake and would probably be better equipped to handle this. It would take some modification, but it could be done.
May I recommend that you use other ways to secure you applications. Take a look at Windows Azure ACS that gives you security federation to Facebook, Google, Yahoo and more.
This allows you to focus on your application and not security protocols.
Azure ACS supports many different of protocols and works great with PHP as well as .Net based applications.
I did a quick search and found the http://www.mediawiki.org/wiki/Extension:OpenID that can use Azure ACS. (Access Control Services)
There are other alternatives to ACS such as Ping Identity and OpenSSO; But ACS is a cheap alternative to Ping.
Related
Currently our company uses a very simple login system involving salted MD5 hashes stored in a database and compared with passwords POSTED to a PHP page. We manage page view permission using PHPGACL. Now that our company has shifted from managing a couple dozen logins to a few hundred this system obviously not only presents a security threat but is also a maintenance hassle as we start to integrate more enterprise tools into our system and need users to have distinct logins for each tool.
From my understanding, OpenLDAP will allow us to replace this system with a single login that works across many platforms (google services, JIRA, etc) and a more secure password encryption mechanism. It would also still allow us to maintain the same page access controls that phpGACL offers.
Is this correct or do I have some fundamental misunderstanding of what LDAP is supposed to do? Are there any technologies other than OpenLDAP that would be necessary for migrating a system like the one we currently have? I've heard good things about LDAP but I'm still not very clear on what it actually does and does not do.
Many applications are able to use external (meaning external to the application) LDAP repositories for Authentication and some for Authorization. But, Not ALL applications will work with LDAP.
Google services typically requires some federation or synchronization to be used with LDAP.
You would need to verify other applications ability to utilize LDAP.
-jim
Story is that I need to make my website act as Identity Provider (read: IDP). Website itself is on Zend platform. Idea is making a IDP controller by which Service Providers (read: SP) contacts IDP. As it must be part of the website, I would need to include some extension, which could be easily used for responding SAML requests from SP.
I have found list of PHP extensions from:
https://wiki.surfnetlabs.nl/display/OSP/RFC+-+OpenSAMLphp,+a+new+PHP+library+for+SAML+2.0+support
All of these extensions have little documentation or are too complex. For example I haven't found a way to use SimpleSamlPHP in my application and also extracting useful code out of it looks very time consuming (which I really don't have anymore). Also I find all of them hard to implement into website.
I have been googling and checking github for days now, trying to find easy way to use some library (right now I'm trying to implement Lasso, which seems reasonable, but unfortunately lacks good examples / information how to use it as IDP).
Any kind of criticism, ideas, help or tutorial/code examples would be useful.
I wrote a guide about how deploy on an open source software (Tiki-wiki) an IdP using simplesamlphp, and how to connect the IdP to google or salesforce. Take a look:
https://github.com/pitbulk/tiki-saml/blob/master/doc/tiki_wiki_as_idp.rst
SimpleSAMLphp seems intimidating at first but it can handle all the SAML responses for you.
Have you looked at creating custom authentication module - http://simplesamlphp.org/docs/stable/simplesamlphp-customauth
You can tie this module to your existing login mechanism pretty easily.
Check out PingFederate and the PHP Integration Kit from Ping Identity. Alternatively there is the Agentless Integration Kit (instead of PHP) which allows you to integrate using a RESTful API call to the PingFed server instead of embedding any PHP libraries.
HTH,
Ian
Q: How would you create a SSO? What would you do about authentication (separate app or same as sso) and user store?
Background info:
We have 40+ php apps, java apps and
Ruby apps.
Currently, we have a custom
SSO+authentication solution. It's an
app written in php that is now used as
SSO, while supporting
email/username/phone-number + password
as authentication. It works, but was
built for a few apps only, not
originally meant to be the SSO -
solution. It doesn't have a usable view, every app create their own login/register forms and use the API. They share context and we'd like a more universal design.
Now we know want to support Oauth and
openid solutions, as facebook connect,
google and more, (or do we really?), in addition to
existing authentications. We can
expand existing php-solution, but we
are considering alternatives.
If you were to do all this in Ruby, what would you do?
Some additional info:
All users exist in SSO, today.
The company does aquire other companies/systems at times, having their own users. Would you migrate or create some kind of mapper?
Customers in a Microsoft CRM, but I consider this unrelated. Or do I?
I've shallowly looked at RubyCAS and ClassyCAS, and don't know if they are suitable. Is CAS the way to go?
Would you keep going with php? What would you use?
As you see, I have a lot of questions. What would you suggest?
I a previous job we used Jasig CAS for SSO (several apps in Java and Python). After getting over some quirks in the configuration and my dislike of all things Java, it actually worked pretty well. At the time I found the wiki to be a valuable resource, but things might have changed in the last year.
Authentication was handled via a separate app (custom) using an OpenLDAP directory that was preinitialized with a script that got user info out of an AD server.
Regarding the actual server you might actually want to use the Jasig one, IIRC it's the reference implementation and is easy to customize via a Maven overlay.
Ruby-cas FTW.
I'm building a website that will require user registration and logon.
I would like to use the facebook connect to let people create a basic account and to log on without having to create a local account themselves - and let them fill in more profile details when they want to.
What other 3rd party authorizations systems are there? Clearly openid is one option. And google seem to have a system too for loging onto other sites with your google logon. Are there any other systems? Does microsoft have one for msn logons? I found some hints but was unable to find any details.
Anyway, the programming question is are there any php libraries that will do this for me across a range of providers? I see ones for facebook and OpenID but I've not seen any library in php that abstracts away the differences? Before I program my own solution are there any libraries for this that I've not managed to find?
Keep in mind that Facebook is likely to become an openid provider in the near future (for some value of near).
If you really want EVERYTHING abstracted for you, JanRain takes care of exactly that task for you as a hosted service. The free version provides enough functionality to get started, and then if your app takes off, you can pay a bit for more functionality down the road.
The question Is there a simple way to implement the login system that stackoverflow uses using php?
For a long time I have developed websites, and have used a typical web form username/password with a mysql db for login systems.
I would like to have it so users can log into the system using google, yahoo, facebook, etc, and without them having to remember some long openid url (they should just click google and be able to log in using their username/password there).
I would prefer not to use a service provider (such as RPX) to implement this.
If you want to implement it yourself, here is a great walkthrough. There's also the PHP OpenID Library, but that's probably a lot more than you need.
Here is the client-side OpenID selector that SO uses on its login screen.
Edit: Stack Overflow no longer uses the one that I linked to, but it still works, as far as I'm aware.
Check which pages clicking those buttons sends you to and then just redirect your users to those pages. They are all "openid" providers so you just need an open id library on your end to verify the response.
I use this one in PHP http://openidenabled.com/php-openid/. They have some good examples in that package to get you started.
If you're looking at using preexisting code, the Zend Framework provides OpenID support. While the library itself is fairly large, you should be able to individual components in a relatively stand-alone way.