Single Sign On

From MozillaWiki
Jump to: navigation, search

Mozilla has over 100 web properties. A reoccurring idea in the Mozilla community is to implement Single Sign-On (SSO).

This has been discussed many times off and on over the last few years. The Webdev team is leading a Web based SSO solution, which will be rolled out onto MDN.

Please use the Discussion tab to work through contentious points.

Technical Details

  • The Secret Squirrel Project is a CAS 2.0 based SSO server
  • The mod_auth_cas Project is a CAS 2.0 based SSO client
  • New User Credentials (not bootstrapped from AMO, Firefox Sync, or any other source)
  • MDN is the first target app
    • Good choice as it currently has three codebases Dekiwiki, phpbb, and Django


  • Q: Will SSO be a profile server?
  • A: No, not in v1.0, probably never

Reasoning: The SSO webapp will have a user page where you can see what apps you've integrated sign-on for. Client webapps still need to define and build out their profile pages. Some user metadata can be gleaned from the SSO server, but updating, storing extra metadata, etc is TBD and probably belongs in a different web service.

  • Q: Will SSO handle authorization?
  • A: No, SSO is for authentication, each client application will implement Authorization
  • Q: Why not just use OpenID?
  • A: OpenID alone prevents us from implementing such features as global logout and other future features that require a central authentication entity. However, we might at some point allow you to log into *SSO* using your OpenID.

OpenID is an awesome solution for completely open federation. CAS is a good solution for a coordinated cluster of websites under one umbrella.

  • Q: Why not just use LDAP?
  • A: We wanted a simple solution for authentication which can be made available to the community. There are some operational concerns around running a public LDAP server. With CAS, we can whitelist a community app and it can be an un-trusted, but still be a first class user of SSO. LDAP can provide not only authentication, but also authorization and arbitrary attributes (profile). This confuses the purpose of SSO, which currently is *only* authentication.