Are there any FOSS Python Single-Sign-on Servers?

[Ben Finney]

Phillip B Oldham <phillip.oldham at gmail.com> writes:

> I think maybe there's some misunderstanding. The protocol isn't the
> issue; I'm happy to use whatever (HTTP, LDAP, SOAP, XMPP, etc). The
> issue is that OpenID, by its name, is open. We don't want to allow
> anyone with an openid account to register with our webapps

Then don't do that. The OpenID protocol says nothing whatsoever about
*which* OpenIDs your service will accept.

> we simply want to centralise registration and sign-on for our
> employees.

Then you should reject any attempt to authenticate with an OpenID that
you don't accept.

This could be done by, as one possible example, only accepting OpenIDs
of the form ‘http://example.com/openid/username’ (or whatever URL path
you deem useful), and ensuring that you control the OpenID provider
that serves those OpenIDs.

-- 
 \      “He who allows oppression, shares the crime.” —Erasmus Darwin, |
  `\                                     grandfather of Charles Darwin |
_o__)                                                                  |
Ben Finney