“Enterprise” authentication, single sign-on and user provisioning for multiple sites

Question

I'm looking for a solution for user provisioning, authentication and single sign-on which will make it easy for me to manage accounts for all the staff at my company across all of the sites we work on.

My main goal is to have a single point at which I can add/remove users to grant/revoke access to all the sites our staff will need to work on. This is obviously a pretty useful thing on it's own, but it'll also mean that I can ask staff to change passwords regularly without it taking a day to go through every site, etc. All this is in addition to "normal" users which vary from site to site.

The shared tables approach won't work (and wouldn't use anyway), I don't fancy setting up an LDAP server just for this, none of the sites share a domain so Bakery won't work, the OpenID module allows any provider so I can't trust the profile details to automatically set roles, etc.

Is there an existing (production ready) solution that uses, e.g., OpenID but lets me restrict the provider/s to those I can trust? Should I just bite the bullet and start trying to hack at the OpenID module? Am I barking up the wrong tree?

Answer 1

You would have to use a few modules working together to make this happen.

Development Seed had an interesting demo using OpenID, PubSubHub and Feeds. They detail it at http://developmentseed.org/blog/2010/mar/02/simple-sign-openid

lordg's comment re: hubs is exactly what they did.

Answer 2

Have a look at multisite_login, it should help you get to what you are looking for. I haven't used it myself yet, but the description appears to fit quite well. You could contact that maintainer to get some customizations or become a co-maintainer of it.