[TriLUG] SSO in a mixed world

[Brian McCullough]

Folks,

Looking for war stories, bright ideas, and conversation, as usual.


I am in an environment with a couple of Joomla sites, an Alfresco site,
Windows log-ins, a Citrix gateway, and possibly something else that I
have forgotten.


The "boss" here has decided that he wants a version of Single Sign On,
probably pretty classical, where once somebody logs in, they are allowed
into any of the "services" without any more questions.

Unfortunately, he doesn't want to use AD as the master database.  His
idea is that one of the Joomla instances has ( or will have ) the most
complete list of users, so wants to use that.  ( or something like that
)

I'm having a bit of trouble getting my head around some of this, so came
to "the oracle."


First of all, each of the web sites are set up so that you can create a
"basic" account on your own, no administrator involved.  So, if you go
to Alfresco for the first time, it will ask your name and create an
account.  Similarly, if you go to one of the Joomla sites for the first
time.

There are certain restrictions; you have to be permitted to log in to
one of the Joomla sites or Citrix, and write access is also limited.

Also, the Alfresco site is used to store documents that are referenced
from both of the Joomla sites.


I think that I could set something up that would maintain an LDAP
database by "scraping" the two Joomla sites and the Alfresco site, and
then use standard Apache SSO tools, but that seems "clunky" or even
kludgy and I also have another question related to that.

What mechanism would, say, Joomla use, behind the Apache Basic Auth SSO,
to authorize and authenticate the users?  Yes, Apache has let you into
the site, but how does Alfresco know that?


I think that that is a long enough start, so I will pause and see what
you have to say.



Thank you,
Brian