Forum .LRN Q&A: Response to External Authentication

Posted by Malte Sussdorff on
Hi Carl, Al,

for AIESEC we needed to implement a single signon and authentification for IMP Mail and another system, not using LDAP.

What we ended up doing was storing the password of the other application in our database and send these information through a redirect / registration page.

As for LDAP, it was easy to get ACS to use LDAP, which IMP was using as well. We have portlets showing you the latest email in your mailbox.

But this was always a fix for a certain situation. Maybe we can explore in using something like Passport or anything else that allows us a single signon process for multiple applications. But always be aware, that ACS will only be one application among many, so we might be stuck with other applications who do not like single authorization/signon.

Furthermore, will we need to store the user data in all the one place or keep it in multiple places. Should a user be able to update his adress in one place, but use it in all applications? How can this be handled (we use direct database communication, which is not really the way to go, but it was fast and convenient).

I'm not sure how much hassle it would be to allow OpenACS to answer to ldap, kerberos, x.509, radius, you name it, authorization requests. But if it is fairly easy, this might be the preferrable way, with exporting the user data add/edit function as a webservice as well, so we could plug this in the webmail functionality. But here again, webservices still seems to me like a lot of vapour ware.

Concerning the OKI API, would it be possible to just load them into ns_java and access them from there ?