Hmm...<br>The reason we want to implement OpenID Provider for Mailman is so that we can use the single sign on for our other internal accounts like our internal wiki etc.<br>We want our users to login in just their mailman account and have single sign on for their other accounts.<br>
<br>Can I get pointers to any existing implementations of OpenID Provider and]or OpenID Relying Party for Mailman or any other applications.<br>Also any suggestions on how to go about implementing the Provider os Relying Party ??<br>
<br><br><br><br><br>So how would I go about implementing the OpenID Relying Party for Mailman?<br><br><div class="gmail_quote">On Mon, Jun 8, 2009 at 12:34 AM, SitG Admin <span dir="ltr"><<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="im"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I am working on implementing openID server for the mailman setup I am running.<br>
</blockquote>
<br></div>
As someone who has wrestled with getting an OpenID provider operative for all users to log into a Relying Party at the same server, let me advise you:<br>
<br>
Don't.<br>
<br>
At least, not how you're looking to do it. I appreciate the desire to integrate support incrementally, but if you're crunching CPU cycles and taking up (minimal) network bandwidth for what could be a simple login procedure, it's a waste of resources (and *may* expose you to DNS exploits, though of course anyone who can control your inner networks to that extent probably has full access anyway).<br>
<br>
I suggest looking into OpenID as a Relying Party, and requiring foreign providers as an *extra* factor of authentication; use them to expand your abilities so users can try biometrics/smartcards, but still ask for their local password before you'll let them in. That way, even if someone completely breaks OpenID (or compromises the foreign OP), they still won't be able to get in. This reduces the SSO functionality of OpenID somewhat, but is another way you could phase in OpenID support - if someone learned the local password but couldn't break biometric/smartcard protection, *they* wouldn't be able to get in either.<br>
<br>
-Shade<br>
</blockquote></div><br>