User:Jeblad/Identity federation

From MediaWiki.org
Jump to navigation Jump to search

IdentityFederation is a proposed extension to do identity federation as necessary to do log on to external service providers. For users on a site such as Wikipedia there are several necessary limitations to facilitate anonymity and this must be maintained, and only in very limited cases a gradual relaxion of anonymity must be allowed. Usually identity federation are about how a user can maintain a single identity and do log in and access service providers as necessary. In a wiki (MMC site) it can be used to assign one time user ids, or give access to common aliases.

Such one time ids, or aliases, are then used to get qualified access to another systems according to the real users credentials on the wiki. Such credentials can be several features such as user rights, number of contributions, time since registering, time since last block or even user name. The extension identifies and pass on the user if there are sufficient credentials, giving away as little information as possible in the process. Defaults can be explicitly set in LocalSettings.php to enable those credentials allowed to be transfered, and then further allow or deny access as specified at the page used for definitions in the Mediawiki-space.

The result of the initial tests of the credentials determine if access can be granted — which means the user will be given access, or it can be postponed — which means the user has to pass some check on the site or will have to pay a fee, or it can fail completely. In the last case the service will not appear on the special page.

Whats happen when the user are granted access depends on the service in question. Basically there are two types of operation; one is to log on to a service and then continue to work on the site, the other is to ask for a specific resource and then be granted a limited access to that. If a resource is explicitly identified in the request the user may or may not be logged off from the service as such, depending on the sites internal state engine.

Fundamental operation[edit]

An service container object describes the actual service or resource as such the user may log on. This container object holds the necessary description and the intention to log into this. For example it will hold the textual description. In itself it will not be able to log in to the service, for this it uses special request objects, although it will use a fallback and try to do without any kind of identity if so defined.

A request object holds data and methods to log on to a specific service, and may be of various kinds. The user will never be aware of any additional dialog between the identity provider and the service provider, but she will be made aware of which kind of credentials that are involved and which ones are actually transfered to the external service provider. Some methods may not be able to transfer federated attributes and will then only leak personality information through the testing of credentials.

There may for example be a request object to allow the user to masquerade as an user «wikipedia» through OpenID, while the final fallback will be to do without any real or masqueraded identity if the users credentials isn't sufficient.

See also[edit]