Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Single sign-on

Marek Stępniowski
August 08, 2011
Programming
2
280

Single sign-on

Comparison of single sign-on solutions like Active Directory, LDAP and Kerberos, focusing mainly on OpenID and CAS.

Marek Stępniowski

August 08, 2011
Tweet

More Decks by Marek Stępniowski

See All by Marek Stępniowski
Django - best Python micro web framework
mstepniowski
8
3.3k
asyncio - how sausage is made
mstepniowski
2
480
Multiple databases in Django
mstepniowski
9
1.3k
Django Carrots
mstepniowski
3
1k
Advanced design patterns
mstepniowski
2
460
Design patterns
mstepniowski
3
430

Other Decks in Programming

See All in Programming
offers_20241022_imakiire.pdf
imakurusu
2
360
開発効率向上のためのリファクタリングの一歩目の選択肢 ~コード分割~ / JJUG CCC 2024 Fall
ryounasso
0
360
外部システム連携先が10を超えるシステムでのアーキテクチャ設計・実装事例
kiwasaki
1
230
Content Security Policy入門 セキュリティ設定と 違反レポートのはじめ方 / Introduction to Content Security Policy Getting Started with Security Configuration and Violation Reporting
uskey512
1
430
Identifying User Idenity
moro
6
7.9k
/←このスケジュール表に立ち向かう フロントエンド開発戦略 / A front-end development strategy to tackle a single-slash schedule.
nrslib
1
590
推し活としてのrails new/oshikatsu_ha_iizo
sakahukamaki
3
1.7k
Amazon Neptuneで始めてみるグラフDB -OpenSearchによるグラフの全文検索-
satoshi256kbyte
4
330
LLM生成文章の精度評価自動化とプロンプトチューニングの効率化について
layerx
PRO
2
140
2万ページのSSG運用における工夫と注意点 / Vue Fes Japan 2024
chinen
3
1.3k
リリース8年目のサービスの1800個のERBファイルをViewComponentに移行した方法とその結果
katty0324
5
3.6k
Why Spring Matters to Jakarta EE - and Vice Versa
ivargrimstad
0
980

Featured

See All Featured
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Into the Great Unknown - MozCon
thekraken
31
1.5k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Become a Pro
speakerdeck
PRO
24
5k
Building Your Own Lightsaber
phodgson
102
6k
The Power of CSS Pseudo Elements
geoffreycrofte
72
5.3k
GraphQLとの向き合い方2022年版
quramy
43
13k
Statistics for Hackers
jakevdp
796
220k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
7.9k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
231
17k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k

Transcript

  1. MAREK STĘPNIOWSKI @mstepniowski

  2. None

  3. SINGLE SIGN-ON

  4. None
  5. None
  6. None

  7. Redmine - zarządzanie projektami redmine.nowoczesnapolska.org.pl Platforma Redakcyjna redakcja.wolnelektury.pl

  8. Redmine - zarządzanie projektami redmine.nowoczesnapolska.org.pl Platforma Redakcyjna redakcja.wolnelektury.pl Wolne Lektury

    wolnelektury.pl Wolne Podręczniki wiki.wolnepodreczniki.pl Blog nowoczesnapolska.org.pl

  9. •Kerberos •LDAP •Active Directory

  10. We don’t need no stinkin’ protocols! “

  11. •CAS •OpenID •OAuth

  12. CAS Jasig

  13. None

  14. redirect

  15. Login: ________ Pass: ________

  16. Login: marek Pass: ********

  17. redirect (with token)

  18. check token

  19. yes marek no

  20. None

  21. FEATURES • Centralized - all passwords are stored in one

    place • Subsequent logins can happen without user interaction • Easy to implement
  22. None

  23. GATEWAY AUTH (accessing public webpage)

  24. GATEWAY AUTH redirect

  25. GATEWAY AUTH redirect (with token) Note We don’t show the

    login form, even if the user is not logged in

  26. GATEWAY AUTH check token

  27. GATEWAY AUTH yes marek no

  28. GATEWAY AUTH If authentication was succesful serve the modified page

  29. None

  30. JAVASCRIPT AUTH

  31. SINGLE SIGN-OFF

  32. SINGLE SIGN-OFF Sign off

  33. SINGLE SIGN-OFF But... It doesn’t scale! Facebook uses delayed single

    sign-off: • First cookie is long lived and keeps the user session • Second cookie required to perform API calls is short lived and needs to be refreshed using the first cookie • Signing off from Facebook deletes both cookies

  34. CAS 2.0

  35. <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>marek</cas:user> </cas:authenticationSuccess> </cas:serviceResponse> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code="INVALID_TICKET">

    Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure> </cas:serviceResponse> Oh hai, XML!

  36. <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>marek</cas:user> <cas:proxyGrantingTicket> PGTIOU-84678-8a9d... </cas:proxyGrantingTicket> </cas:authenticationSuccess> </cas:serviceResponse> <cas:serviceResponse

    xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code="INVALID_TICKET"> Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure> </cas:serviceResponse> Oh hai, XML!

  37. <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>marek</cas:user> <cas:proxyGrantingTicket> PGTIOU-84678-8a9d... </cas:proxyGrantingTicket> <fullName>Marek Stępniowski</fullName> <isAdmin>yes<isAdmin>

    </cas:authenticationSuccess> </cas:serviceResponse> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code="INVALID_TICKET"> Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure> </cas:serviceResponse> Oh hai, XML!

  38. CAS 3.0

  39. STUCK IN A LIMBO Adds attribute exchange (most clients implement

    it as an extension of 2.0)

  40. • Django https://github.com/zuber/django-cas-provider https://github.com/zuber/django-cas-consumer • Python https://wiki.jasig.org/display/CASC/Pycas • Ruby http://code.google.com/p/rubycas-server/

    http://code.google.com/p/rubycas-client/ +many more

  41. • Django https://github.com/zuber/django-cas-provider https://github.com/zuber/django-cas-consumer • Python https://wiki.jasig.org/display/CASC/Pycas The simplest single

    sign-on solution available
  42. None
  43. None

  44. OpenID: ________

  45. OpenID: stepniowski.com

  46. redirect stepniowski.com

  47. Login: ________ Pass: ________ stepniowski.com

  48. Login: marek Pass: ******** stepniowski.com

  49. redirect (with token) stepniowski.com

  50. check token stepniowski.com

  51. yes|no stepniowski.com

  52. stepniowski.com

  53. FEATURES Strangely similar to CAS

  54. FEATURES • Decentralized - you don’t need to store passwords

    at all • Single sign-on but not single sign-in • Hard to implement - delegation requires an HTML parser

  55. openid.sreg openid.ax

  56. 2.0

  57. • Django https://github.com/omab/django-social-auth • Python https://github.com/openid/python-openid • Ruby https://github.com/openid/ruby-openid +many

    more

  58. COMPARISON CAS OpenID • Centralized • Single sign-on and sign-in

    • Easy to implement • Decentralized • Only single sign-on • Hard to implement • Attribute exchange (CAS 3.0) • Single sign-off • Gateway authentication • openid.sreg and openid.ax • Single sign-off • Browser extensions
  59. None

  60. ASK FOR IT And I will create a separate presentation

  61. MAREK STĘPNIOWSKI @mstepniowski