Identity 2.0: the what, why and how of social and federated login

Transcript

1. Identity 2.0 The what, why and how of social and

   federated auth Fraser Tweedale @hackuador August 5, 2017 #pyconau

2. This talk What is federated / social authentication? Why should

   I care? How do I use it?

3. Why? authentication is hard to get right data silos are

   bad authentication is burdensome for users user often is already authenticated by someone therefore outsource your authentication

4. UA SP IDP GET /thing Who's that? It's Alice! Here

   you go UA = User Agent SP = Service Provider IDP = Identity Provider

5. Who? Social login providers Google, Facebook, Twitter, Linked.in, GitHub, Microsoft,

   . . . The enterprise Active Directory, FreeIPA, . . . LDAP
6. None
7. None
8. None
9. None

10. Why not? not everyone uses Facebook, GitHub, . . .

    might not want to use social login more moving parts

11. UA SP IDP Request

12. UA SP IDP Request Response user already logged in

13. UA SP IDP Request Redirect to IdP user not logged

    in

14. UA SP IDP Request Redirect to IdP Login user not

    logged in Login form user not logged in

15. UA SP IDP Request Redirect to IdP Login Redirect (token)

    user not logged in Login form user not logged in

16. UA SP IDP Request Redirect to IdP Login Redirect (token)

    Get user info user not logged in Login form user not logged in

17. UA SP IDP Request Redirect to IdP Login Redirect (token)

    Get user info Resource user not logged in Login form user not logged in

18. UA SP IDP Request Redirect to IdP Redirect (token) Get

    user info Resource user not logged in user already logged in

19. Protocols SAML 2.01 Security Assertion Markup Language 2005, XML OpenID

    Connect2 2014, JSON + JWT based on OAuth 2.0 1http://saml.xml.org/saml-specifications 2https://openid.net/connect/

20. Identity brokers connect SPs with IDPs (many-to-many) may support multiple

    service realms may support multiple IDP and federation protocols

21. IDP UA SP Broker Request Redirect to broker Login Redirect

    (token) Get user info Resource Login form Redirect to IDP Redirect (token) Get user info

22. Keycloak Open Source identity broker http://www.keycloak.org/ IDPs: social, SAML, OpenID

    Connect, LDAP, Kerberos SPs: SAML, OpenID Connect Red Hat Single Sign-On Docker images available3,4 3https://hub.docker.com/r/jboss/keycloak/ 4https://github.com/jboss-dockerfiles/keycloak

23. Demo

24. Demo GitHub social login LDAP-based IDP Keycloak Apache modules mod_auth_mellon5

    mod_auth_openidc6 REMOTE_USER 5https://github.com/UNINETT/mod_auth_mellon 6https://github.com/pingidentity/mod_auth_openidc

25. HTTP SAML OAuth 2.0 GitHub Firefox app.py / Apache Keycloak

    Request Redirect to broker Login & authorise Redirect (token) Resource Login/authz form Redirect to IDP SAML assertion Get user info "social" realm /saml

26. HTTP OIDC LDAP FreeIPA LDAP Firefox app.py / Apache Keycloak

    Request Redirect to broker Resource LDAP BIND Login form authz code Get ID token Get user entry "corp" realm /oidc

27. NGINX NGINX Plus (OpenID Connect; paid) https://github.com/pingidentity/lua-resty-openidc

28. Web frameworks

29. Django Packages https://python-social-auth.readthedocs.io/ https://djangopackages.org/grids/g/oidc/ https://djangopackages.org/packages/p/djangosaml2/ REMOTE_USER https://docs.djangoproject.com/en/1.11/howto/auth-remote-user/ http://www.adelton.com/django/ external-authentication-for-django-projects

30. Other Python frameworks https://python-social-auth.readthedocs.io/ https://pypi.python.org/pypi/pysaml2

31. REMOTE_USER - general guidelines use middleware(s) to interpret request environment

    map remote roles to app roles users: transient or persisted? tweak login view as needed

32. Wrapping up

33. Security use TLS everywhere how secure are the libraries? how

    secure are the protocols?7,8,9 preventing token / data interception at UA 7A Comprehensive Formal Security Analysis of OAuth 2.0 8The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines 9Formal Analysis of SAML 2.0 Web Browser Single Sign-On: Breaking the SAML-based Single Sign-On for Google Apps

34. UA SP IDP Request Redirect to IdP Login Redirect (token)

    Get user info Resource user not logged in Login form user not logged in

35. UA SP IDP Request Redirect to IdP Login Redirect to

    SP POST /token Resource user not logged in Login form user not logged in (authz code payload) JWT (id_token) OpenID Connect verify JWT

36. UA SP IDP Request Redirect to IdP Login Redirect to

    SP Resource user not logged in Login form user not logged in (encrypted SAML assertion) SAML decrypt & verify SAML assertion

37. Challenges testing email verification account linking10,11 10https://stackoverflow.com/questions/6666267/architecture-for-merging-multiple-user-accounts-together 11https://www.sitepoint.com/social-network-authentication-merging-accounts/

38. SAML or OpenID Connect? if you’re implementing new services: OpenID

    Connect if it’s a mobile app: OpenID Connect if the SP only speaks one or the other: use that if you have SAML and OpenID Connect SPs: broker

39. Single sign-out what happens when user signs out of IDP?

    supported by SAML; draft spec for OpenID Connect

40. Other SP UA SP IDP invalidate session invalidate session Logout

    Logout Logout

41. Other UA Other SP UA SP IDP invalidate session invalidate

    session Logout Logout iframe invalidate session Logout Poll Logged out

42. Recap Socialise or centralise your authentication Identity brokers can do

    a lot of the heavy lifting Web servers can present a consistent view to apps

43. Except where otherwise noted this work is licensed under http://creativecommons.org/licenses/by/4.0/

    https://speakerdeck.com/frasertweedale @hackuador