Ian Bicking: the old part of his blog

Apache Authentication and Single-Signon

Incidentally, some time ago I mentioned several options for single sign-on. These are also projects that support generic authentication layers on top of any application; one of the goals at Imaginary Landscape is to consolidate logins for all kinds of content -- Zope, Webware, PHP, Perl, and static content. And to do it with reasonable usability, which most Apache authentication does not provide.

In the end I dropped Pubcookie as too complex, and we're using mod_auth_tkt. This has a documented authentication ticket format that anyone can generate (based on a shared secret), and just enough features to support things like groups, without any extra features that you'll have to work around.

There's still a lot of infrastructure to build up around it to support a "full" user system, but I feel confident at least that it is a good foundation.

Created 20 Jul '05


We're looking to do something similar at Zenoss. I've been busy with setting up the LDAP infrastructure, but one of my next tasks will be recommending a solution for the single-sign-on portion.

Did you ever make any good progress with mod_auth_tkt?

# oubiwann