Best Way to handle/consolidate multiple Logins?

Question

this is the scenario: multiple web systems (mostly lampp/wampp) exist, most of them with separate login information, (some share it). We're considering the benefits/disadvantages of unifying them somehow, or at least making handling the user administration parts easier.

Due to the nature of some systems (its a mixed bag of custom OSS systems,internally developed software and 3rd party commercial software) we can't unify all login-screens into a single screen.

A idea passed around is a sort of login master brain were we can control all user name creation,permissions,inactivation, etc. This will still make people have to manually log in into every system, but at least it'll make the administrative load of user management easier.

Are there any known solutions to this kind of problem that involves (necesarily, it could be considered) changing the least amount of code/systems possible?

Edit: OpenID doesnt work for us since we have different login needs and some systems we cant directly control how they handle the login process (but we can control the users/passwords).

Answer 1

openid

Answer 2

A lot of people seem to like OpenID for this sort of thing. I'm not sure on it's intranet capabilities though.

Another idea is using your "brain" system to pass authenticated username to the sister/brother applications as a form post, then handle authentication on that system and create their security tickets with what was sent.

Hope you find what you're looking for!

Cheers!

Answer 3

What we did was to centralise all login details in one repository (Active Directory for us), then wrote a c# library to authenticate with wrappers for all the languages we programmed in (PHP, C, .NET, etc). and then just wrote some glue code in the appropriate place for each application. Aside from our in-house apps, we successfully logged into Mediawiki, Subversion, ActiveCollab and Apache this way.

It does involve writing a reasonable amount of code, but not ridiculous amounts, and it will work for the future as well. I can't see a practical solution which would be easier than this.

Reading your question I note that this is more-or-less what you're thinking anyway, but it will work!

Answer 4

There is a big industry around it and it is called IAM - Identity Access Management. The IAM solutions basically do what You want - manager users, user permissions and translate their internal state to the multitude of systems. Depending on possibility of integration, You might have a "SSO" - Single Sign On for some software or You could have Single Source of Authentication. The former differs from later in the fact that with SSO user needs in to punch the credentials once, while the in the later he only has same login and password combo.

Also IAM would manage to extent of its possibilities user rights. For example, a network equipment can only support one user/password. Then IAM solution would automatically open a terminal and log on the user, when he/she requests it; assuming the user is in the right security group.

Implementing an IAM solution could go a long way to ease systems management.

I can't recommend any particular solution, just bear in mind that transition from current method to IAM will require more than integration with different software, but also some change in corporate culture as one system will bind all others.