On Wed, 2 Feb 2005 03:40:40 +0200, Ksenia Marasanova
 wrote:
>
> I wonder what other people think about following. I want to build a
> system that will authenticate users across multiple sites, so users
> have to log in only once on one site, and then just click on a link
> and go to another site with their credentials. All sites are Quixote
> applications on different subdomains on one Apache server with
> mod_scgi. PostgreSQL will be used for sessions.
> What is the strategy for creating thing like that? Has anyone done it
> before in Quixote?
> Any tips would be greatly appreciated :-)

I haven't written such an authentication system, but am using an
existing one here on campus to authenticate local users to our local
unalog instance.  The existing authentication system runs CAS [1];
another option could be pubcookie [2] (if I read correctly; haven't
used it myself).

Plugging CAS support into unalog was easy [3, see login()], and even
though this implementation isn't great, it works, and is configurable,
so I can switch it on or off for testing (i.e. dropping back to
unalog's built-in-quixote authentication) by tweaking the configfile
and restarting scgi.  The main benefit is that all unalog sessions are
still kept in the zodb, but unalog's database and site never see any
actual user credentials, just a confirmation from CAS.

  -Dan


[1] http://tp.its.yale.edu/tiki/tiki-index.php?page=CentralAuthenticationService
[2] http://www.pubcookie.org/
[3] http://curtis.med.yale.edu/unalog-trac/file/trunk/lib/yale_authn.ptl