#431 Better support for external authentication
The existing auth script system works decently; however, there could be better support for external authentication. Use this ticket to discuss problems that need to be solved, as I'll be reworking the users module a bit. Here's what I've found so far:
1. "New Users" should not require a local password if a different authentication method was selected.
2. Some authentication systems also identify, and if that's the case, the Display Name and Email Address should be pulled from that information.
3. Specifically: support for Cosign
4. Specifically: support for LDAP
5. Eternal Authorization should be available; that is, we should be able to maintain a list of deities that is accessible through LDAP, so as ESS transforms over the years, we can add and remove people easily from LDAP, and probably have more control over things like which hubs and which branches these people have specific control over.
Logged In: YES
user_id=860147
Originator: NO
Jeff,
I'm using LDAP. our external auth script works perfectly, my biggest request is keeping users logged in across branches. I have some users that approve content in multiple branches. constantly logging in is a hassle.
Logged In: YES
user_id=1575542
Originator: YES
I'll look into the feasibility of this, as it'll probably help us out too. The biggest problem that I can foresee is that ones persistent authentication is based on the session cookie first, and then on the phpWebSite Site Hash. This means that if your different branches are actually different domain names, it may actually be impossible to make that login persistent.
Consider: A web browser only sends cookies based on the domain name. So, the cookie for example.com will only be sent to example.com and not to example.net, and vice verca. However, there may be ways to hack around this, probably in the same way that web advertisers do to track your movements for targetted advertising.
On the other hand, if your different branches are under the same domain name, the persistent login is actually very easy: just set the SITE_HASH constant in config/core/config.php on each of your branches to be equal to the same value. Log into one site, and you're automatically logged into the rest.