[OpenID] OpenID + Government

Troy Benjegerdes hozer at hozed.org
Tue Aug 11 18:46:51 UTC 2009 

Documentation and a sample server code with Python-openid

http://openidenabled.com/files/python-openid/docs/2.2.4/

in which instead of a user typing in a username and password,
SPNEGO/GSSAPI is used with the PyKerberos module..

http://trac.calendarserver.org/browser/PyKerberos


What I would like is to be able to do something like:

python openid-AD.py

and have this start the internal python HTTP server on some known port,
and utilize an existing Kerberos and LDAP directory system for
authenticating users.

Bonus points if the implementation can store all per-user state in
fields in the users's LDAP entries, hopefully allowing the server
to be stateless, and mitigating security aspects by depending on
Kerberos and LDAP authentication and authorization for all security
critical information.


On Tue, Aug 11, 2009 at 11:03:51AM -0700, David Recordon wrote:
> Hey Troy,
> The closest software that I know about is 
> http://siege.org/projects/phpMyID/ which is a simple provider written in 
> PHP.  I would love to see what you describe exist, have any constructive 
> ideas about how to go about making it happen?
>
> --David
>
> On Aug 11, 2009, at 10:48 AM, Troy Benjegerdes wrote:
>
>>> Since the architecture allows any 1 id through delegation to be  
>>> different things to different assertion consumers, the only way for  
>>> Yahoo (say) to comply with the assurance draft is to ELIMINATE ITS  
>>> SUPPORT FOR OPENID DELEGATION (which google has already done,  
>>> apparently).
>>>
>>> We seem to be rapidly losing what openid is/was all about: user  
>>> empowerment and control.
>>
>> Maybe I'm missing something here, if we are really about user  
>> empowerment and control,
>> where are the debian/fedora/OSX-Fink packages to allow a random user  
>> (or maybe, say
>> a small DOE lab research group, like http://scl.ameslab.gov) to run a 
>> full-fledged IdP
>> WITH delegation, and integration into desktop and email authentication 
>> systems like
>> Kerberos?
>>
>> It seems quite hypocritical for OpenID proponents to talk about how  
>> it's all about user
>> empowerment and control without providing an easy-to-use open-source  
>> reference implementation
>> that does not require learning 'yet another' set of acronyms.
>>
>>
>> I'm really hoping that I've just missed something, and someone will  
>> point me out the FAQ
>> on how I can set up an OpenID IdP server in 15 minutes on my debian  
>> machines
>> at home and use kerberos credentials (which I already have for access 
>> my local
>> files, via AFS), to be able to authenticate me to my IdP.
>>
>>
>> Give me the 15 minute HOWTO, and cleanly implemented software  
>> packages, and I can probably
>> have this running on more than one .gov address in a month or two. (.. 
>> a case in point..
>> Does anyone have documentation on using an OpenID to log into a  
>> sharepoint server?? )
>> _______________________________________________
>> general mailing list
>> general at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-general
>

-- 
--------------------------------------------------------------------------
Troy Benjegerdes                'da hozer'                hozer at hozed.org  

Unless hours were cups of sack, and minutes capons, and clocks the tongues
of bawds, and dials the signs of leaping houses, and the blessed sun himself
a fair, hot wench in flame-colored taffeta, I see no reason why thou shouldst
be so superfluous to demand the time of the day.  I wasted time and now doth
time waste me.                        -- William Shakespeare

More information about the general mailing list