An easy solution to a single website login?
July 23, 2015 4:13 AM   Subscribe

The situation is that I manage a bunch of websites & web services, all with their own separate user accounts. It would be useful to unify all these logins. The problem is that the software infrastructure necessary to support unified logins is way beyond my capabilities. Is there a suitable technology shortcut or a way I can cheaply buy such a service?

I'm not an IT guy but a bioinformatician, and part of my brief is to manage the software infrastructure for a major genomics project. So I have to be an IT guy, above and beyond my skills. (Local sysadmin resources - me.) We've based the infrastructure in AWS, which has been a big win. Deploy an app with ElasticBeanstalk and get scaling and easy config? Awesome. Need to spin up a more powerful machine? Simple.

However, with various different systems and web services, it would be nice to have a single identity and login system across them all. And indeed, most of the services support LDAP / OpenID. Shibboleth, etc. This is where it starts to get hairy: the solutions for serving / managing these are technically very complex. You know it's tough when you read articles from seasoned IT professionals complaining about how hard it was to get the software running and how much time they have to spend to keep it running.

Things I've tried:

* Amazon provides a directory service ... but the product is still immature and you still need a software stack to manage it.

* I've sunk a few weeks trying to get my head around LDAP with no great success.

* There are a number of companies selling auth / id as a service, but their solutions look vastly overpowered for what I need and come at a high ticket price (e.g. several dollars per user per month).

* There's a few images of LDAP servers or the like on the Amazon market, but with some poor reviews attached, so that may not save me much effort.

This is a big problem - every moment I spend on this is a moment not spent on "real" work - no one is going to thank me for setting this up. But it seems like the user management will become overwhelming if it's not done.

Various technical details:

* Based in the UK.

* We probably have about 100 users, although the active number is more like 20.

* No one will ever, ever have to login at the commandline / Unix or AWS level. This is strictly for webapps only.

* We're a Unix shop, so Windows-based solutions are at a disadvantage.

* Many of the users are ... not very technical. For example, they mail me when they forget their password and lodge complaints like "the database is acting funny, fix it".

posted by outlier to Computers & Internet (9 answers total) 1 user marked this as a favorite
posted by Sequence at 4:35 AM on July 23, 2015

Have you looked at SSO services like Okta?

Full disclosure: I have a financial stake in the company.
posted by Noisy Pink Bubbles at 4:55 AM on July 23, 2015

Standard caveats about security being Hard apply, but the one time I needed to do something like this, SimpleSAMLphp turned out to be a lot simpler than I expected.
posted by Dr Dracator at 5:01 AM on July 23, 2015 [1 favorite]

Response by poster: Have you looked at SSO services like Okta?

I've looked at some. (See brief comment about companies that sell auth services.) I was hoping for a recommendation with the caveats that:

* The services I've seen seem overpowered for what I need (e.g. device management, multi-factor auth)

* The prices - when prices are even given - are prohibitive.

Nonetheless, I'll look at Okta.
posted by outlier at 5:30 AM on July 23, 2015

Response by poster: I get the LastPass idea (I use it myself) but I'm not clear on how it would work in this case. The same password is shared across multiple services, so they have the same user-password for each system? I'm also a little dubious about getting them to install an extension.
posted by outlier at 6:18 AM on July 23, 2015

Response by poster: Isn't Google Identity mainly for writing your own apps? (I've activated it in my developer console and otherwise it seems to just offer OAuth.)

SimpleSAMLphp looks good - about the first "out of the box" solution I've seen. Will give it an install and see how it works.
posted by outlier at 6:41 AM on July 23, 2015

If you're accessing all these places via the web then there are browser extensions that will automatically log you in to everything. I don't use them so I can't recommend a specific one but that's one place to start looking.
posted by Jacqueline at 4:12 PM on July 23, 2015

I'd also consider using Google. Get Google apps for work on a new or existing domain, give everyone an account there, and then integrate the Google Identity stuff/OpenID Connect into your existing sites (for which there are relatively mature solutions out there). Not entirely free of having to code stuff to retrofit your existing login structures, but almost certainly not going to go away any time soon, and there's a lot of documentation to help.
posted by stavrosthewonderchicken at 5:45 PM on July 23, 2015

Response by poster: Thanks for all the suggestions - it will take some time to assess them all. By the by, OneLogin (ID SaaS company) sales called and it seems they have educational pricing, so I'll be looking at that as well.
posted by outlier at 1:34 AM on July 24, 2015

« Older Gift-Filter: 10-year anniversary next week. Halp.   |   Is this what a hard drive does when it's dying? Newer »
This thread is closed to new comments.