I would like to see a generalized solution in OpenACS (something that would allow anyone to add new authentication sources as needed without intimate knowledge of OpenACS). What would be the best way to do this? Is there a way to do it that would allow us to tap into existing code (e.g. pam modules[1])? What about...
- External authentication without loosing the "I forgot my password... please send me a new one" function
- Fallback mechanisms: e.g. check LDAP... if not in LDAP check Active Directory... if not in AD check the OpenACS DB
- Single signon: e.g. logon to the campus (or company) IMP WebMail[2] server and seemlessly surf over to the dotLRN/OpenACS server without having to reauthenticate (something that allows policies that define which systems should have shared authentication)
- Automatic signon: as in one system on the other side of the world accepting the authentication of another (cross-institutional authentication and authorization services... see Sibboleth[3]... .NET Passport[4])
Is OKI AuthN API the answer[5]? Is this a good time to think about a IMS[6] ID for users as well?
[1] http://www.kernel.org/pub/linux/libs/pam/modules.html
[2] http://www.horde.org/imp/
[3] http://middleware.internet2.edu/shibboleth/shibboleth-project.html
[4] http://www.microsoft.com/netservices/passport/
[5] http://web.mit.edu/oki/specs/specs-authn.html
[6] http://www.imsglobal.org/specifications.cfm