CodeIgniter web application SSO, use OAuth2? SAML? Both/Neither?

问题

I have a CodeIgniter 2.1 internal web app which uses a simple shared password (no usernames) for authentication. It's time to pull that out and ideally use Single Sign On with our company Google Apps accounts to authenticate specific internal users, and in the future allow external users to authenticate with their Google/Twitter/Facebook accounts.

So the question is, where should I start to achieve what I'm looking for above?

Google SAML SSO for Google Apps?
CodeIgniter OAuth 2.0 library?
Something else?

I take it I need to still maintain a database of user_ids and emails for who is allowed to use the web app, even though Google or someone else will be verifying their identity?

Mine seems like a fairly basic use case but I've been lost in a sea of acronyms on this one

回答1:

Yes, I would go with this library http://getsparks.org/packages/oauth2/versions/HEAD/show

Google is an OAuth2 provider that the library seems to support. You will get the email of the user from the Google OAuth token like shown in the code

$user = $provider->get_user_info($token);

You will need a registration or some kind of invitations for the current users to hook with this new system once it is ready.

回答2:

I would stay away from SAML unless you have a strong reason for using it. It is a very capable protocol, which not only provides authentication but also other kinds of security assertions. But all of that power comes with commensurate complexity. OAuth is simple by comparison.

I have used SimpleSAMLphp in the past with good results. But it isn't a library so much as an entire web application all on its own.