Identity 2.0: the what, why and how of social and federated login

Identity 2.0: the what, why and how of social and federated login

Whether you're developing public-facing web apps or deploying behind the corporate firewall, the days of identity silos are over. Social auth (log in with FooBookHub) and federated identity (SAML, OpenID Connect and friends) are the new normal. The advantages are clear: developers and operators have less security-sensitive code to write and deploy, while users experience less password/account fatigue, and enjoy improved productivity through single sign-on.

But there's no such thing as a free lunch; like most things in technology there are trade-offs. Federated authentication protocols are inherently more elaborate than plain old passwords; more moving parts means more complex deployment and more points of failure. Fortunately there are tools to ease the burden and smooth the process of securing your applications.

In this extended session for web developers and administrators/operations folks, attendees will learn and experience how to deploy and use federated auth, end-to-end from the identity provider to the app. The session will cover:

The basics of federated authentication including protocol overviews and comparisons.

How to use social auth providers for public-facing applications, allowing users to log in with an account they already have.

How to leverage accounts in centralised identity management systems (FreeIPA, Active Directory, LDAP, etc) for single sign-on in an organisation.

How identity brokers like Keycloak make it easy to use a variety of external authentication providers, and provide a consistent user experience across multiple applications.

How to use external identities in your applications with the help of your web server, focusing in particlar on popular Python web frameworks and Apache (though the principles are more widely applicable).

Security characteristics, and discussion of some challenging scenarios including testing, account merging and single sign-out.

7c0f9b056604fe541691e18aeb679cf7?s=128

Fraser Tweedale

August 03, 2017
Tweet

Transcript

  1. Identity 2.0 The what, why and how of social and

    federated auth Fraser Tweedale @hackuador August 5, 2017 #pyconau
  2. This talk What is federated / social authentication? Why should

    I care? How do I use it?
  3. Why? authentication is hard to get right data silos are

    bad authentication is burdensome for users user often is already authenticated by someone therefore outsource your authentication
  4. UA SP IDP GET /thing Who's that? It's Alice! Here

    you go UA = User Agent SP = Service Provider IDP = Identity Provider
  5. Who? Social login providers Google, Facebook, Twitter, Linked.in, GitHub, Microsoft,

    . . . The enterprise Active Directory, FreeIPA, . . . LDAP
  6. None
  7. None
  8. None
  9. None
  10. Why not? not everyone uses Facebook, GitHub, . . .

    might not want to use social login more moving parts
  11. UA SP IDP Request

  12. UA SP IDP Request Response user already logged in

  13. UA SP IDP Request Redirect to IdP user not logged

    in
  14. UA SP IDP Request Redirect to IdP Login user not

    logged in Login form user not logged in
  15. UA SP IDP Request Redirect to IdP Login Redirect (token)

    user not logged in Login form user not logged in
  16. UA SP IDP Request Redirect to IdP Login Redirect (token)

    Get user info user not logged in Login form user not logged in
  17. UA SP IDP Request Redirect to IdP Login Redirect (token)

    Get user info Resource user not logged in Login form user not logged in
  18. UA SP IDP Request Redirect to IdP Redirect (token) Get

    user info Resource user not logged in user already logged in
  19. Protocols SAML 2.01 Security Assertion Markup Language 2005, XML OpenID

    Connect2 2014, JSON + JWT based on OAuth 2.0 1http://saml.xml.org/saml-specifications 2https://openid.net/connect/
  20. Identity brokers connect SPs with IDPs (many-to-many) may support multiple

    service realms may support multiple IDP and federation protocols
  21. IDP UA SP Broker Request Redirect to broker Login Redirect

    (token) Get user info Resource Login form Redirect to IDP Redirect (token) Get user info
  22. Keycloak Open Source identity broker http://www.keycloak.org/ IDPs: social, SAML, OpenID

    Connect, LDAP, Kerberos SPs: SAML, OpenID Connect Red Hat Single Sign-On Docker images available3,4 3https://hub.docker.com/r/jboss/keycloak/ 4https://github.com/jboss-dockerfiles/keycloak
  23. Demo

  24. Demo GitHub social login LDAP-based IDP Keycloak Apache modules mod_auth_mellon5

    mod_auth_openidc6 REMOTE_USER 5https://github.com/UNINETT/mod_auth_mellon 6https://github.com/pingidentity/mod_auth_openidc
  25. HTTP SAML OAuth 2.0 GitHub Firefox app.py / Apache Keycloak

    Request Redirect to broker Login & authorise Redirect (token) Resource Login/authz form Redirect to IDP SAML assertion Get user info "social" realm /saml
  26. HTTP OIDC LDAP FreeIPA LDAP Firefox app.py / Apache Keycloak

    Request Redirect to broker Resource LDAP BIND Login form authz code Get ID token Get user entry "corp" realm /oidc
  27. NGINX NGINX Plus (OpenID Connect; paid) https://github.com/pingidentity/lua-resty-openidc

  28. Web frameworks

  29. Django Packages https://python-social-auth.readthedocs.io/ https://djangopackages.org/grids/g/oidc/ https://djangopackages.org/packages/p/djangosaml2/ REMOTE_USER https://docs.djangoproject.com/en/1.11/howto/auth-remote-user/ http://www.adelton.com/django/ external-authentication-for-django-projects

  30. Other Python frameworks https://python-social-auth.readthedocs.io/ https://pypi.python.org/pypi/pysaml2

  31. REMOTE_USER - general guidelines use middleware(s) to interpret request environment

    map remote roles to app roles users: transient or persisted? tweak login view as needed
  32. Wrapping up

  33. Security use TLS everywhere how secure are the libraries? how

    secure are the protocols?7,8,9 preventing token / data interception at UA 7A Comprehensive Formal Security Analysis of OAuth 2.0 8The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines 9Formal Analysis of SAML 2.0 Web Browser Single Sign-On: Breaking the SAML-based Single Sign-On for Google Apps
  34. UA SP IDP Request Redirect to IdP Login Redirect (token)

    Get user info Resource user not logged in Login form user not logged in
  35. UA SP IDP Request Redirect to IdP Login Redirect to

    SP POST /token Resource user not logged in Login form user not logged in (authz code payload) JWT (id_token) OpenID Connect verify JWT
  36. UA SP IDP Request Redirect to IdP Login Redirect to

    SP Resource user not logged in Login form user not logged in (encrypted SAML assertion) SAML decrypt & verify SAML assertion
  37. Challenges testing email verification account linking10,11 10https://stackoverflow.com/questions/6666267/architecture-for-merging-multiple-user-accounts-together 11https://www.sitepoint.com/social-network-authentication-merging-accounts/

  38. SAML or OpenID Connect? if you’re implementing new services: OpenID

    Connect if it’s a mobile app: OpenID Connect if the SP only speaks one or the other: use that if you have SAML and OpenID Connect SPs: broker
  39. Single sign-out what happens when user signs out of IDP?

    supported by SAML; draft spec for OpenID Connect
  40. Other SP UA SP IDP invalidate session invalidate session Logout

    Logout Logout
  41. Other UA Other SP UA SP IDP invalidate session invalidate

    session Logout Logout iframe invalidate session Logout Poll Logged out
  42. Recap Socialise or centralise your authentication Identity brokers can do

    a lot of the heavy lifting Web servers can present a consistent view to apps
  43. Except where otherwise noted this work is licensed under http://creativecommons.org/licenses/by/4.0/

    https://speakerdeck.com/frasertweedale @hackuador