Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Single sign-on

Single sign-on

Comparison of single sign-on solutions like Active Directory, LDAP and Kerberos, focusing mainly on OpenID and CAS.

Marek Stępniowski

August 08, 2011
Tweet

More Decks by Marek Stępniowski

Other Decks in Programming

Transcript

  1. Redmine - zarządzanie projektami redmine.nowoczesnapolska.org.pl Platforma Redakcyjna redakcja.wolnelektury.pl Wolne Lektury

    wolnelektury.pl Wolne Podręczniki wiki.wolnepodreczniki.pl Blog nowoczesnapolska.org.pl
  2. FEATURES • Centralized - all passwords are stored in one

    place • Subsequent logins can happen without user interaction • Easy to implement
  3. GATEWAY AUTH redirect (with token) Note We don’t show the

    login form, even if the user is not logged in
  4. SINGLE SIGN-OFF But... It doesn’t scale! Facebook uses delayed single

    sign-off: • First cookie is long lived and keeps the user session • Second cookie required to perform API calls is short lived and needs to be refreshed using the first cookie • Signing off from Facebook deletes both cookies
  5. <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>marek</cas:user> <cas:proxyGrantingTicket> PGTIOU-84678-8a9d... </cas:proxyGrantingTicket> </cas:authenticationSuccess> </cas:serviceResponse> <cas:serviceResponse

    xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code="INVALID_TICKET"> Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure> </cas:serviceResponse> Oh hai, XML!
  6. <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>marek</cas:user> <cas:proxyGrantingTicket> PGTIOU-84678-8a9d... </cas:proxyGrantingTicket> <fullName>Marek Stępniowski</fullName> <isAdmin>yes<isAdmin>

    </cas:authenticationSuccess> </cas:serviceResponse> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code="INVALID_TICKET"> Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure> </cas:serviceResponse> Oh hai, XML!
  7. FEATURES • Decentralized - you don’t need to store passwords

    at all • Single sign-on but not single sign-in • Hard to implement - delegation requires an HTML parser
  8. 2.0

  9. COMPARISON CAS OpenID • Centralized • Single sign-on and sign-in

    • Easy to implement • Decentralized • Only single sign-on • Hard to implement • Attribute exchange (CAS 3.0) • Single sign-off • Gateway authentication • openid.sreg and openid.ax • Single sign-off • Browser extensions