For prolific users of online services like ourselves, having the ability to authenticate users from a single, authoritative source is a recurring need. OpenID seems to be the winning way of doing such things of late - the integration with Zoho Office being a particularly nice example of how it can work:
Regards,
Paul
Hey Paul,
We'd really like to do something like this! We support LDAP for installed versions of Shotgun, but we'd like to have something that works for hosted too. Do you think it should work so that your Shotgun site admin configures your site look at one other OpenID provider (a Google Apps domain, for instance) and anyone who can authenticate against that provider can then login to your site (and have an account created as needed)? Or should this be a per user pref, where a user would start off by logging in with a normal user and password provided to them by the Shotgun site owner, but could then switch their prefs to point to an OpenID provider for authentication instead? The first way lets you centrally control access to a bunch of sites for all your company's users, and the second way lets an individual not need to have a separate login/password for Shotgun. Also, would you like to have Shotgun be an OpenID provider?
Anyone else using any other types of single sign-on technology? One of our clients was using CAS (http://www.jasig.org/cas), but other than that I've only seen people using LDAP (which still requires users to login to each site, but at least any password changing or account disabled is centralized).
Cheers,
- Isaac
Hello Isaac,
Sorry for taking so long to respond to your comments. 'Tis the season for cramming in loads of work!
Anyway, you asked:
"""
Do you think it should work so that your Shotgun site admin configures your site look at one other OpenID provider (a Google Apps domain, for instance) and anyone who can authenticate against that provider can then login to your site (and have an account created as needed)? Or should this be a per user pref, where a user would start off by logging in with a normal user and password provided to them by the Shotgun site owner, but could then switch their prefs to point to an OpenID provider for authentication instead?
"""
I think the former use case is more interesting to me and the company I work with. The original query I posted is driven by a need we have to carefully manage our online information systems to remain compliant with our clients' and governing bodies' security requirements. If we are able to manage and control our users' credentials centrally in a single, trusted auth provider, we minimise our exposure to risks such as software issues, weak passwords and mis-management of user access. I'm going to have to think a bit about how we'd prevent people from automagically creating themselves an account on Shotgun when they might not need one. We might want to provide people an account on our primary OpenID provider but not Shotgun. Perhaps that process could require an Administrator approval within Shotgun?
The second use case sounds a bit easier for Administrators and Users both (if perhaps a bit confusing for first-time users). But I do worry this option would make it difficult to enforce password strength requirements across multiple authentication domains. So overall the first use case seems best.
"""
Also, would you like to have Shotgun be an OpenID provider?
"""
Hmm, at first blush, I think I would personally carry on using Google for ours, but why not? If it's not too painful for you lot to implement, it'd be great to promote the idea among your users. It'd fit right in with your other trailblazing achievements. :) And while I hesitate to imagine how I'd use it immediately, I reckon it could lead to some interesting mash-up ideas later.
"""
Anyone else using any other types of single sign-on technology? One of our clients was using CAS (http://www.jasig.org/cas), but other than that I've only seen people using LDAP (which still requires users to login to each site, but at least any password changing or account disabled is centralized).
"""
I've seen some poorly-done bespoke solutions at other, Major Post Production Studios. They tend to be poorly-done look-alikes to CAS. But CAS is, for me, not that terribly interesting as it really only address application-level authorisation/authentication. The holy-grail is to have a single authority where one can grant, revoke and delegate permissions to users. Mac OS X Server Open Directory is probably the best solution I've yet seen for this, but it's still not that easy making all its LDAP/Kerberos voodoo work correctly with Linux clients. Hopefully the OpenID approach being more web-centric and being built without legacy concerns will fare better. It still gets my vote anyway.
Rambingly yours,
Paul