A cool way of handling the multitude of create sites would be to enable the openid module in created sites automatically (through an install profile?) and associate the users having access to the client to the admin user of the created site. It could be fairly simple to add stuff to the frontend to add the pattern of the openid provider URLs. In the backend, it would probably need to go through an install profile to enable the openid module at least, but maybe a custom post_install hook could setup the module and necessary associations.

To be thought about.

Comments

anarcat’s picture

anarcat commented
Title: enable openid in deployed sites and add openids to the admin user » enable SSO in deployed sites

Based on past experiences, and comments in another thread, I'm not sure OpenID is the best overall solution in this case. Others mentionned LDAP, ApacheDS and I'm thinking of Shibboleth today...

In any case, this should be in a module...

niccolox’s picture

niccolox commented
Project: Hosting » Hostmaster (Aegir)
Version: 5.x-0.2.x-dev » 6.x-0.4-alpha3
Issue tags: +aegir, +bakery

hi anarcat,

any thoughts on single signon (or at least a shared or simpler signon experience)

have been tooling around with Bakery on D6 and D7 within Aegir (doesnt work) and without (does work)

have tried to create a local.settings.php with cookie_domain as required by Bakery but I get locked-out

thanks in advance

I see Seth is trying for this too
http://drupal.org/node/1096660

and from Phayes last year
http://drupal.org/node/608918

dominict’s picture

dominict commented

Same issue is coming up right now in our Atlanta ADUG meeting. There is definitely interest in making Aegir Bakery-friendly.

niccolox’s picture

niccolox commented

Bakery is a nice single and sub domain solution.

The obvious downside is its Drupal specific, does weird things to your user tables and doesnt do cross-domains.

It also currently doesn't work with Aegir, although I am sure that could change with a bit of tlc.

I've since discovered an OpenID based single signon solution that is an expanded and improved version of the original Development Seed codebase.

see
Summary: Omniauth - OpenID Single Sign-On for Drupal
http://groups.drupal.org/node/155799

OmniAuth OpenID Single Signon - OpenID - Single Signon Lives (Sorta)
http://groups.drupal.org/node/154879

I'd strongly encourage support for the OpenID approach.

There is a lot of Drupal energy in OAuth (Twitter and Facebook enabled signons)
http://groups.drupal.org/node/155674

but the new single-signon solution is OAuth + OpenID
http://code.google.com/googleapps/domain/sso/openid_reference_implementa...

I find it pretty strange that D.o is not using an OpenID sso, especially since OpenID is in core and is used in DrupalGardens

niccolox’s picture

niccolox commented

I see hadsie has an Aegir solution called Account_sync
http://drupal.org/node/1258862

I am still perplexed at the FUD around OpenID

its in core and still its not used on d.o

I for one, dont want to rely on mega-sites like Facebook or Twitter to own my ID via OAuth or JainRain or whatever

steven jones’s picture

steven jones commented
Status: Active » Closed (won't fix)

I don't think this needs to be implemented in Aegir core, there could be some contrib module that integrates some other SSO solution with the Aegir UI however. But, I suspect that the SSO solution would be very specific to the environment the sites are in.