I`ve got proposition of new feature for the Moodle. SSO module based on the OpenID. I wonder if anybody has tried to do something similiar.
It could be a great thing for integration Moodle with another applications (example: Moodle and Drupal (http://lampuniversity.org)) without changing core code.
What do you think about that?
A presentation giving an overview of OpenID: http://www.openidenabled.com/resources/drupal/openid.html
best regards
Sebastian Komorowski
Re: OpenID module (Single-Sign-On with another apps)
Re: OpenID module (Single-Sign-On with another apps)
On Drupals side we are thinking like started at http://groups.drupal.org/node/1048
Re: OpenID module (Single-Sign-On with another apps)
Re: OpenID module (Single-Sign-On with another apps)
Thomas,
the 2nd slide in that URL says
Not a trust system. "Trust requires identity first"
which means that it is not like LDAP. It also means that it is not a valid means for SSO for most of the uses I can think of.
What kind of scenarios would you use OpenID in?
Re: OpenID module (Single-Sign-On with another apps)
In fact OpenID and LDAP are not the same, but similar. There are a lot of other techniques, too.
The OpenID is a very popular authentication method for web access and user verification.
You may use one of the public servers like https://getopenid.com/, http://www.myopenid.com/ or one of the others, but you may also create your own OpenID-Server.
The benefit is to have a centralized user authentification.
Re: OpenID module (Single-Sign-On with another apps)
In fact OpenID and LDAP are not the same, but similar.
Can you elaborate on the point? It doesn't make much sense to me, having worked a lot with LDAP, PAM, done a few SSO implementations. I mean we can say they are "similar" at a naive high level. But we are talking underlying protocols, trust models and implementations, right?
LDAP is a directory (OpenID is not), LDAP can be used as a trust system (specially strong paired with Kerberos -- OpenID cannot be used as trust system and cannot work in a Kerberized environment). LDAP cannot do SSO, where OpenID can -- IOWs LDAP is a tcp/ip protocol, OpenID is a Web2.0 protocol.
LDAP has a lot of support for delegation, caching, mirroring, recursive querying, a full blown search system. OpenID does not have any of these.
LDAP can be a data repository (albeit it is not an RDBMS but a tree-structured database) and is widely used to distribute host configuration data (it is one of the uses of AD, and also used a lot in the unix space for network-wide managemetn). OpenID has nothing on that area.
So, both run on TCP/IP. Both can validate a username, though with radically different approaches (and features/limitations). So the overlap is minimal in my book.
Which is good of course. Different tools fit different scenarios -- I don't want to have a million tools that do exactly the same with different name, protocol and configuration.
But anywhere you'd clearly use LDAP, you would not use OpenID. And viceversa.
Re: OpenID module (Single-Sign-On with another apps)
OpenID has some flexible options wrt user management -- you can pull user info from anything from a .pwd file to a mysql db to an LDAP directory -- so, it's possible to integrate OpenID cleanly and simply alongside legacy systems without duplicating user data -- I give an overview of these, and other, details in this blog post.
Cheers,
Bill
Re: OpenID module (Single-Sign-On with another apps)
LDAP can be used as an SSO system. You just have multiple applications (even web ones like KnowledgeTree) access the same LDAP server for user authentication.
And OpenID can have trust layered on top of it. You should never confuse "not included in the protocol" with "incapable of integration with." Almost any trust mechanism could be layered on top of OpenID. OpenID just doesn't require one in order to keep the protocol lightweight.
Saying OpenID can't have a trust mechanism is like saying HTTP can't do SSL.
Re: OpenID module (Single-Sign-On with another apps)
RE: " Your post is interesting but quite misinformed." -- as you and I are saying similar things, I'm assuming your comment doesn't apply to me.
From the way this forum displays comments, the "post" to which you refer is not immediately clear.
Cheers,
Bill
Re: OpenID module (Single-Sign-On with another apps)
This provides the same username and password, but how would you do SSO (user only enters their username and password once, and is authenticated on a set of different applications) with LDAP only?
AFAIK, you need a server side authentication system such as pubcookie or CAS (which may use LDAP as the directory server) to provide SSO. From wikipedia anyway, it sounds like OpenID is not a good choice for securing sensitive information like student grades and identies?
http://en.wikipedia.org/wiki/OpenID
Vs. CAS and PubCookie.
Re: OpenID module (Single-Sign-On with another apps)
RE: LDAP -- this is also my experience -- multiple apps accessing an LDAP server provide the same username and password for every app, but does not provide SSO.
However, the OpenID info you give needs to be examined in a little more detail.
Consider this scenario:
A school sets up an OpenId server, and several sites as OpenID client sites. The OpenID client sites can be configured to only accept logins from the school's OpenID server. So, any login from an outside OpenID server will be summarily rejected.
For the OpenID SSO to work, the owner of the OpenID profile must choose to trust the client site. This trust can be granted forever, once, or not at all, and it can be revoked at any time. So, OpenID does not give a blank check to all the sites within a network -- the user must determine which sites to trust -- and then, within each individual site, the user can be given privileges accordingly.
Additionally, with OpenID, the user chooses what info to share with each site -- the OpenID protocol does not manage identity -- it just manages SSO -- the simple registration extension allows for some profile management across sites, but this is an extension to the protocol, not a part of it.
OpenID doesn't secure "sensitive information like student grades and identies" -- the web sites/databases do that -- OpenID is *only* an SSO mechanism -- Security on a site using OpenID is largely like security on a site using any other SSO mechanism -- the single greatest threat to security will always be a user compromising the integrity of their login or password.
And the day someone shows me a protocol that can protect against that -- well, that would be quite the invention
The wikipedia page on OpenID is woefully general, and like most things general, prone to inaccuracies. A better starting point for what OpenID can and can't do is http://www.openidenabled.com/
Also, wrt security, OpenID worked for Verisign. Their FAQ also gives insight -- albeit in non-technical terms -- into what OpenID can and can't do.
Cheers,
Bill
Re: OpenID module (Single-Sign-On with another apps)
and beheath this page one with a multi-party diagram do shed some
light on how OpenID works. A similar diagram is behind Pubcookie,
the difference being OpenID is multi-site, multi-organization.
Really, the thing to do is to take this guy for a spin and watch it work.
With some small effort, I could see how the Moodle user profile could
be enhanced with OpenID.
As people have pointed out, OpenID is NOT SSO. OpenID is merely a shared identity service. SSO can presumeably be added on top of OpenID to allow one to sign in only once across multiple sites/applications. The default OpenID implementation still requires users to sign on per site/application.
Re: OpenID module (Single-Sign-On with another apps)
I will try to do it.
If a site needs high security, then it has a few options. One is requring an additional password for really important areas. Another is building trusted relationships with mutiple OpenID servers.
Re: OpenID module (Single-Sign-On with another apps)
I think that it will be useful for Moodle.
At the elgg roadmap there is point about OpenID integration. There is module for the Drupal. There is possbility to integrate it in that way with Moodle.
I think that it will be useful for Moodle if you have your own OpenID server and you can filter your users for some specific access rights. For example you have Elgg blogs with OpenID as the login. Then you are choosing only that logins which are from your OpenID server, the rest have only guest access or some simple rights.
Maybe I`m wrong ;) I don`t know yet.
Re: OpenID module (Single-Sign-On with another apps)
Re: OpenID module (Single-Sign-On with another apps)
Will you share that code?
It will be really nice ;)
Sebastian
Re: OpenID module (Single-Sign-On with another apps)
Re: OpenID module (Single-Sign-On with another apps)
If we have Elgg/Moodle integration with Elgg as the OpenID server we can use it for better control of flowing data to each one application and of course SSO.
You can control access rights for the users with checking the name of domain and closing registration process to yours OpenID server.
Re: OpenID module (Single-Sign-On with another apps)
I was just trolling through the forums looking for info Pubcookie integration and saw your post. Have you been having much success getting it to work?
Thanks,
Michael
Re: OpenID module (Single-Sign-On with another apps)
Re: OpenID module (Single-Sign-On with another apps)
OpenID Plugin for Moodle 1.6 now available | Bill Fitzgerald |
Congratulations!
Sebastian