Duncan Barth, University of Oregon on Authenticaion vs. Authorization
- authentication: is the user who s/he says s/he is?
- authorization: what does the user get to do on the site/resource?
- passwords stink. hard for end user to use unique passwords, hard for web manager to manage passwords and reset mechanisms
- stay out of the authentication business if you can!
- UO intranet: MediaWiki, Drupal, custom applications. use Apache standard authentication mechanism, pointing to LDAP server
- using Shibboleth as authentication system (single sign-off) set up with EZProxy. ultimately want to make system one log-in for all systems (including ILLiad, Xerxes, etc.)
- for non-university systems (public libraries etc.) without user id databases, can use OpenID (Google provides OpenID.) I.e., Basecamp login can be done with OpenID from Google account.
- how to promote OpenID as a mechanism?
- can use identity information from Facebook API to log in.
- OpenID has authorization component called OAuth