Request for Comments: Unified and single signon for OpenUru?

Discussions about administration, management, technology and development

Moderator: OpenUru.org Moderators

Post Reply
User avatar
rarified
Member
Posts: 800
Joined: Tue Dec 16, 2008 10:48 pm
Location: Colorado, US

Request for Comments: Unified and single signon for OpenUru?

Post by rarified » Thu Feb 03, 2011 11:30 pm

I'm currently bringing up some more back-end tools to add to the toolbox here at OpenUru. We're starting to get to the point where these tools can interact, such as having the Fisheye/Crucible code browser have access to source repositories (including the small one I host), or have access to bug tracking tools such as Mantis or JIRA to link changes to bugs.

To do this I've been thinking about inter-tool authentication. For the examples above, I can use private authentication and no user needs ever know. But in the current state, if a user wants to use the repository, they have to log in for access. If they then want to use Fisheye, they once again need to log in there. Likewise for the forums, wiki, et al.

Is there a desire to unify authentication between OpenUru facilities, so that a single signon to any one of the portals can carry an authentication token to grant access to some or all other OU tools? If so, now is the time to start thinking about it. I probably could do it with an LDAP-backed OAuth (open auth) implementation, although I need to check if some of the repository toolkits will use that. Certainly anything web based should be able to do so (PHP based, apache, etc).

Comments?

_R
One of the OpenUru toolsmiths... a bookbinder.

User avatar
JWPlatt
Member
Posts: 1099
Joined: Sun Dec 07, 2008 7:32 pm
Location: Everywhere, all at once

Re: Request for Comments: Unified and single signon for Open

Post by JWPlatt » Fri Feb 04, 2011 12:11 am

We've already integrated the wiki and the forum logons to stop wiki spam, so I guess we're already on the slippery slope. I was actually doing my best to avoid all customization when we started OU, including keeping all resources with their own separate logons. But as we progress, other needs become apparent and we do more integration. Spam was the driving force behind it, but now site navigation is revealing this kind of necessity.

With a deep sigh, yes, I think we should look at it, and hopefully master it from phpBB or a central website registration. We could install a token instance of Joomla to deploy jFusion to bridge the site, forums and various resources, with some custom work likely. Or we could do something like LDAP. The biggest problem is timely and easy upgrades of any single resource at any time. That kind of maintenance and account synchronization is hard on an integrated system. I don't want it to cause upgrades to halt because of the sheer effort involved. I'd like to make sure we can make easy upgrades of any resource the same day a security release is issued.

Given that and the resources involved (phpBB, MediaWiki, Wordpress, Mantis, and JIRA/etc), what are the options?


JW
Perfect speed is being there.

User avatar
rarified
Member
Posts: 800
Joined: Tue Dec 16, 2008 10:48 pm
Location: Colorado, US

Re: Request for Comments: Unified and single signon for Open

Post by rarified » Fri Feb 04, 2011 12:36 am

Consider as well that there are two degrees to which this can occur.

The simpler is to have a common backend authority for user info, but let each tool still authenticate in it's own way against that data.

Then the is the more integrated one-signon-for-a-session model which is more complex.

I hear you on wanting to make the maintenance tasks as simple as possible. Perhaps we don't have the usage to warrant this yet. But it is one of those time to ask the question.

I'll research the stuff I'm familiar with and post soon.
One of the OpenUru toolsmiths... a bookbinder.

User avatar
T_S_Kimball
Member
Posts: 27
Joined: Sun Dec 21, 2008 2:05 am
Location: www.mysterium.net
Contact:

Re: Request for Comments: Unified and single signon for Open

Post by T_S_Kimball » Mon Feb 07, 2011 10:29 am

I considered suggesting pubcookie for your SSO (which we use at work, linked to a 'Sun' LDAP system), but realized that it requires some heavy changes to the Apache master config.

I don't believe you have access to that on BlueHost (hint to JW - get a custom favicon! 8-) ).
Timothy S. Kimball - www.sungak.net
SL - Alan Kiesler (retired) || Eve Online - Alain Kinsella

User avatar
JWPlatt
Member
Posts: 1099
Joined: Sun Dec 07, 2008 7:32 pm
Location: Everywhere, all at once

Re: Request for Comments: Unified and single signon for Open

Post by JWPlatt » Mon Feb 07, 2011 9:24 pm

T_S_Kimball wrote:get a custom favicon! 8-) ).
Thanks! We're at the point where some attention to little details like this are very appreciated. I did a quick icon that isn't that great. I'll get something better soon.
Perfect speed is being there.

User avatar
JWPlatt
Member
Posts: 1099
Joined: Sun Dec 07, 2008 7:32 pm
Location: Everywhere, all at once

Re: Request for Comments: Unified and single signon for Open

Post by JWPlatt » Fri Feb 11, 2011 6:20 am

rarified is looking at Atlassian Crowd now under an eval licence and I have already applied for a full license. We should have that with 10 days.

I didn't look closely at Crowd or apply for a license before because I thought SSO was beyond our needs. But now that rarified is test driving it, because it is felt we actually do need SSO, I'm taking a closer look. And I'm sold. Besides SSO, "Crowd's Subversion connector allows you to password-protect a Subversion repository and provide fine grained access by group or user." I think rarified has been having to do things with the repository more or less manually so far. But if this works for you, rarified, it's worth a lot. We could really use a web UI for account owners to set rights and manage the repo.

That said, it's only most important to put SSO on the Foundry/Atlassian tools. I wouldn't mind not integrating it with the forums, wiki, blogs and bugs (Mantis). The forums and wiki are already sharing logon. If it's a no-brainer and we can use Crowd to integration authentication for all our resources with minimal effort, that might be okay. But if it's take a lot of T&E (time and effort), maybe not.
Perfect speed is being there.

User avatar
JWPlatt
Member
Posts: 1099
Joined: Sun Dec 07, 2008 7:32 pm
Location: Everywhere, all at once

Re: Request for Comments: Unified and single signon for Open

Post by JWPlatt » Fri Feb 11, 2011 9:57 pm

License received and available. :)
Perfect speed is being there.

User avatar
JWPlatt
Member
Posts: 1099
Joined: Sun Dec 07, 2008 7:32 pm
Location: Everywhere, all at once

Re: Request for Comments: Unified and single signon for Open

Post by JWPlatt » Sat Feb 12, 2011 4:07 am

rarified,

Does this look familiar?
http://blog.justjohn.us/2010/04/ldap-authentication/

Maybe it's too late if you've gotten it going already, but worth a look just to know you did it right. ;) Looks good to enable nested groups if you didn't already.

Also, I think it's critical to offer a choice between Subversion or Mercurial. Those are the big two I'd like to see supported, but I only see Subversion mentioned in the Crowd literature. Maybe there's a plugin?
Perfect speed is being there.

User avatar
JWPlatt
Member
Posts: 1099
Joined: Sun Dec 07, 2008 7:32 pm
Location: Everywhere, all at once

Re: Request for Comments: Unified and single signon for Open

Post by JWPlatt » Mon Feb 14, 2011 3:45 am

I contacted Atlassian about Mercurial support for Crowd.
JWPlatt wrote:The literature for Crowd lists only Subversion, but I know Atlassian wants to be "repo agnostic." I am very interested in support for Mercurial too. So can Crowd support Mercurial with all the fine-grained security features available to Subversion?
I got their reply earlier today:
Atlassian wrote:This is the first time we receive this request so, thanks for making it :-)

I've created the following Feature Request for this:

http://jira.atlassian.com/browse/CWD-2267

Please vote on this issue and add it to your JIRA watch list for future updates.
Also, feel free to add any comments you think are necessary and/or important.

Our Dev Team will review the request and schedule it accordingly.
Make sure to register, watch and vote!

I replied:
JWPlatt wrote:Wow, that's incredible no one else has suggested this. With your purchase of bitbucket last year, which supports svn and hg, and statements of repo agnosticism, I figured it was on everyone's mind.

Thanks for entering the Crowd feature request.

By the way, I found that even though I have an account here, I had to open another new one there to vote. Why not implement Single Sign On for all your instances? ;)
And a very prompt reply:
Atlassian wrote:Hi,

The Atlassian Web sites don't use Crowd because of the number of users the instances have (~300K) and because they exist since a time when we hadn't yet acquired Crowd.

You can see more details here (http://jira.atlassian.com/browse/CWD-1726).
Ironic indeed. Underlines for emphasis: Does that also mean it's too late for any accounts registered before Crowd is installed?

Again, make sure to watch and vote on this feature:
http://jira.atlassian.com/browse/CWD-2267

By the way, a support ID will soon be necessary to obtain Atlassian support. We have an ID for all our Atlassian tools.
Perfect speed is being there.

Post Reply

Return to “Domain Development”

Who is online

Users browsing this forum: No registered users and 1 guest