Single sign-on - Speaker Deck

Single sign-on

by Marek Stępniowski

Embed

Start on current slide

Slide 1

Slide 1 text

MAREK STĘPNIOWSKI @mstepniowski

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

SINGLE SIGN-ON

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

Redmine - zarządzanie projektami redmine.nowoczesnapolska.org.pl Platforma Redakcyjna redakcja.wolnelektury.pl

Slide 8

Slide 8 text

Redmine - zarządzanie projektami redmine.nowoczesnapolska.org.pl Platforma Redakcyjna redakcja.wolnelektury.pl Wolne Lektury wolnelektury.pl Wolne Podręczniki wiki.wolnepodreczniki.pl Blog nowoczesnapolska.org.pl

Slide 9

Slide 9 text

•Kerberos •LDAP •Active Directory

Slide 10

Slide 10 text

We don’t need no stinkin’ protocols! “

Slide 11

Slide 11 text

•CAS •OpenID •OAuth

Slide 12

Slide 12 text

CAS Jasig

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

redirect

Slide 15

Slide 15 text

Slide 16

Slide 16 text

Slide 17

Slide 17 text

redirect (with token)

Slide 18

Slide 18 text

check token

Slide 19

Slide 19 text

yes marek no

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

FEATURES • Centralized - all passwords are stored in one place • Subsequent logins can happen without user interaction • Easy to implement

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

GATEWAY AUTH (accessing public webpage)

Slide 24

Slide 24 text

GATEWAY AUTH redirect

Slide 25

Slide 25 text

GATEWAY AUTH redirect (with token) Note We don’t show the login form, even if the user is not logged in

Slide 26

Slide 26 text

GATEWAY AUTH check token

Slide 27

Slide 27 text

GATEWAY AUTH yes marek no

Slide 28

Slide 28 text

GATEWAY AUTH If authentication was succesful serve the modiﬁed page

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

JAVASCRIPT AUTH

Slide 31

Slide 31 text

SINGLE SIGN-OFF

Slide 32

Slide 32 text

SINGLE SIGN-OFF Sign off

Slide 33

Slide 33 text

SINGLE SIGN-OFF But... It doesn’t scale! Facebook uses delayed single sign-off: • First cookie is long lived and keeps the user session • Second cookie required to perform API calls is short lived and needs to be refreshed using the ﬁrst cookie • Signing off from Facebook deletes both cookies

Slide 34

Slide 34 text

CAS 2.0

Slide 35

Slide 35 text

marek Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized Oh hai, XML!

Slide 36

Slide 36 text

marek PGTIOU-84678-8a9d... Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized Oh hai, XML!

Slide 37

Slide 37 text

marek PGTIOU-84678-8a9d... Marek Stępniowski yes Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized Oh hai, XML!

Slide 38

Slide 38 text

CAS 3.0

Slide 39

Slide 39 text

STUCK IN A LIMBO Adds attribute exchange (most clients implement it as an extension of 2.0)

Slide 40

Slide 40 text

• Django https://github.com/zuber/django-cas-provider https://github.com/zuber/django-cas-consumer • Python https://wiki.jasig.org/display/CASC/Pycas • Ruby http://code.google.com/p/rubycas-server/ http://code.google.com/p/rubycas-client/ +many more

Slide 41

Slide 41 text

• Django https://github.com/zuber/django-cas-provider https://github.com/zuber/django-cas-consumer • Python https://wiki.jasig.org/display/CASC/Pycas The simplest single sign-on solution available

Slide 42

Slide 42 text

No content

Slide 43

Slide 43 text

No content

Slide 44

Slide 44 text

OpenID: ________

Slide 45

Slide 45 text

OpenID: stepniowski.com

Slide 46

Slide 46 text

redirect stepniowski.com

Slide 47

Slide 47 text

Slide 48

Slide 48 text

Slide 49

Slide 49 text

redirect (with token) stepniowski.com

Slide 50

Slide 50 text

check token stepniowski.com

Slide 51

Slide 51 text

yes|no stepniowski.com

Slide 52

Slide 52 text

stepniowski.com

Slide 53

Slide 53 text

FEATURES Strangely similar to CAS

Slide 54

Slide 54 text

FEATURES • Decentralized - you don’t need to store passwords at all • Single sign-on but not single sign-in • Hard to implement - delegation requires an HTML parser

Slide 55

Slide 55 text

openid.sreg openid.ax

Slide 56

Slide 56 text

2.0

Slide 57

Slide 57 text

• Django https://github.com/omab/django-social-auth • Python https://github.com/openid/python-openid • Ruby https://github.com/openid/ruby-openid +many more

Slide 58

Slide 58 text

COMPARISON CAS OpenID • Centralized • Single sign-on and sign-in • Easy to implement • Decentralized • Only single sign-on • Hard to implement • Attribute exchange (CAS 3.0) • Single sign-off • Gateway authentication • openid.sreg and openid.ax • Single sign-off • Browser extensions