© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Some thoughts/opinions to your questions:
* Same settings? No, but...
The library settings should be /able/ to be separate, though falling back to the opac ones would not be unreasonable. In particular, it will be important to use different a IdP or different user match points for staff-side purposes.
* Do SSO at the OpenSRF level? No, that way madness lies.
It will probably end up looking like a mod_perl shim that does more or less what the OPAC side does, creating a session based on Shib and returning the auth token, and an angular service that knows how to find out (pre-login) if it should do that dance and how to do it.
* Is this actually complicated? Yes, it is extremely complicated. Both the technology itself, and more importantly, correctly implementing it.
SSO is there to make the user's life easier, but security is Hard(tm). For the user to see it as "easy" the burden has to shift to the developer and the administrator.