Extension:WindowsSSO

Placeholder for WindowsSSO extension under development...

To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows Domain, the best MediaWiki extension I could find was NTLMActiveDirectory.

However, I had two peeves with this extension: See, I'm sitting on an IIS box on a Windows domain with Integrated Windows Authentication enabled. By the time the MW extension gets hit, IIS has already authenticated the user, so why not just leverage that instead?
 * 1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
 * 2) Its use of LDAP; feels too much like a wart on Windows!

I therefore used NTLMActiveDirectory as a starting point, but threw out all the LDAP stuff and replaced it with a simple Web call to an IIS-hosted handler to get the AD group membership for the already authenticated user. Of NTLMActiveDirectory, I kept the AD / MW group mapping configuration required for authorization.

Personally, I find this solution much simpler and intuitive for AD integration when hosting MW on a Windows/IIS box.

Does this make sense to others in the community?

Do others feel there was a need for a better AD integration extension?

Would others in the community benefit from such an extension?

If so, I would be happy to share my work, following instructions found here.