As part of our Persona SSO project, one of the sites we'd like to convert to use Persona authentication is phonebook.mozilla.org. This is a PHP app, which (AFAIK?) is not based on any framework. We currently do auth at the Apache level, using HTTP Basic Auth over SSL, tied into LDAP. We are working on a similar Apache module for Persona, but that project is somewhat stalled, and ultimately we'd prefer native/direct Persona auth anyway. The only requirement is that we attempt to limit it to the same group of people that are currently able to use Phonebook. That means it should reject anyone that is not @mozilla.com, or any other email address that is routed through our Persona IdP (@mozillafoundation.org, at least, should also be allowed). We may need to make an exception to allow @mozilla.org people, for example, even though that doesn't go through the IdP+LDAP. Resources that may help: https://developer.mozilla.org/en-US/docs/Mozilla/Persona https://github.com/mozilla/browserid-cookbook/blob/master/php/persona.php Let me know if you have any questions! Of course we'll test it out in dev/stage before doing prod. :)
cn=phonebook_access,ou=groups,dc=mozilla may be of use here.
Per decision in other bugs, this is a WONTFIX now