Single sign-on

Transcript

1. MAREK STĘPNIOWSKI @mstepniowski

2. None

3. SINGLE SIGN-ON

4. None
5. None
6. None

7. Redmine - zarządzanie projektami redmine.nowoczesnapolska.org.pl Platforma Redakcyjna redakcja.wolnelektury.pl

8. Redmine - zarządzanie projektami redmine.nowoczesnapolska.org.pl Platforma Redakcyjna redakcja.wolnelektury.pl Wolne Lektury

   wolnelektury.pl Wolne Podręczniki wiki.wolnepodreczniki.pl Blog nowoczesnapolska.org.pl

9. •Kerberos •LDAP •Active Directory

10. We don’t need no stinkin’ protocols! “

11. •CAS •OpenID •OAuth

12. CAS Jasig

13. None

14. redirect

15. Login: ________ Pass: ________

16. Login: marek Pass: ********

17. redirect (with token)

18. check token

19. yes marek no

20. None

21. FEATURES • Centralized - all passwords are stored in one

    place • Subsequent logins can happen without user interaction • Easy to implement
22. None

23. GATEWAY AUTH (accessing public webpage)

24. GATEWAY AUTH redirect

25. GATEWAY AUTH redirect (with token) Note We don’t show the

    login form, even if the user is not logged in

26. GATEWAY AUTH check token

27. GATEWAY AUTH yes marek no

28. GATEWAY AUTH If authentication was succesful serve the modified page

29. None

30. JAVASCRIPT AUTH

31. SINGLE SIGN-OFF

32. SINGLE SIGN-OFF Sign off

33. SINGLE SIGN-OFF But... It doesn’t scale! Facebook uses delayed single

    sign-off: • First cookie is long lived and keeps the user session • Second cookie required to perform API calls is short lived and needs to be refreshed using the first cookie • Signing off from Facebook deletes both cookies

34. CAS 2.0

35. <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>marek</cas:user> </cas:authenticationSuccess> </cas:serviceResponse> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code="INVALID_TICKET">

    Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure> </cas:serviceResponse> Oh hai, XML!

36. <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>marek</cas:user> <cas:proxyGrantingTicket> PGTIOU-84678-8a9d... </cas:proxyGrantingTicket> </cas:authenticationSuccess> </cas:serviceResponse> <cas:serviceResponse

    xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code="INVALID_TICKET"> Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure> </cas:serviceResponse> Oh hai, XML!

37. <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>marek</cas:user> <cas:proxyGrantingTicket> PGTIOU-84678-8a9d... </cas:proxyGrantingTicket> <fullName>Marek Stępniowski</fullName> <isAdmin>yes<isAdmin>

    </cas:authenticationSuccess> </cas:serviceResponse> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code="INVALID_TICKET"> Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure> </cas:serviceResponse> Oh hai, XML!

38. CAS 3.0

39. STUCK IN A LIMBO Adds attribute exchange (most clients implement

    it as an extension of 2.0)

40. • Django https://github.com/zuber/django-cas-provider https://github.com/zuber/django-cas-consumer • Python https://wiki.jasig.org/display/CASC/Pycas • Ruby http://code.google.com/p/rubycas-server/

    http://code.google.com/p/rubycas-client/ +many more

41. • Django https://github.com/zuber/django-cas-provider https://github.com/zuber/django-cas-consumer • Python https://wiki.jasig.org/display/CASC/Pycas The simplest single

    sign-on solution available
42. None
43. None

44. OpenID: ________

45. OpenID: stepniowski.com

46. redirect stepniowski.com

47. Login: ________ Pass: ________ stepniowski.com

48. Login: marek Pass: ******** stepniowski.com

49. redirect (with token) stepniowski.com

50. check token stepniowski.com

51. yes|no stepniowski.com

52. stepniowski.com

53. FEATURES Strangely similar to CAS

54. FEATURES • Decentralized - you don’t need to store passwords

    at all • Single sign-on but not single sign-in • Hard to implement - delegation requires an HTML parser

55. openid.sreg openid.ax

56. 2.0

57. • Django https://github.com/omab/django-social-auth • Python https://github.com/openid/python-openid • Ruby https://github.com/openid/ruby-openid +many

    more

58. COMPARISON CAS OpenID • Centralized • Single sign-on and sign-in

    • Easy to implement • Decentralized • Only single sign-on • Hard to implement • Attribute exchange (CAS 3.0) • Single sign-off • Gateway authentication • openid.sreg and openid.ax • Single sign-off • Browser extensions
59. None

60. ASK FOR IT And I will create a separate presentation

61. MAREK STĘPNIOWSKI @mstepniowski