Save 37% off PRO during our Black Friday Sale! »

Single Sign On with TYPO3 Flow

2a244c5ed94d92d288444604360a919a?s=47 hlubek
April 19, 2013

Single Sign On with TYPO3 Flow

Slides for my talk at the Inspiring Flow 2013 conference about a Single Sign On solution for TYPO3 Flow.



April 19, 2013


  1. Single Sign On with Inspiring Flow 2013

  2. @hlubek Christopher Hlubek

  3. Work

  4. TYPO3 Flow Surf Neos ...

  5. Sign-On Sign-In Authentication Authorization Single-Sign-On

  6. Authentication

  7. Who ? >Identity

  8. j.doe ****** Login j.doe

  9. Username / Password over and over ...

  10. What do we repeat in every new webapp?

  11. = +

  12. „Can we store all accounts centrally and login once and

    forever?“ [enter customer name here] quote
  13. Service oriented apps Large Monolithic Unmaintainable App monster Focussed Clean

    Small Service Apps
  14. Requirements Seamless login Flow integration Server and client Expiration sync

  15. Existing SSO solutions CAS Shibboleth SAML 2.0 OpenId OAuth

  16. Peek into the SAML 2.0 spec

  17. None
  18. We built a custom solution...

  19. Why? Ease of use Reduce complexity Flexibility

  20. Flowpack.SingleSignOn.*

  21. In cooperation with Robert Lemke

  22. Basic architecture Flow app SSO Server package Your domain package

  23. A roundtrip

  24. Server Instance 1 access secured resource 2 redirect to server

    authenticate 3 5 redeem token 4 redirect back 6 redirect to secured res.
  25. Confused?

  26. Demo

  27. Some more detail

  28. Server Server key pair Service base URI > server identifier

    Client 1 Public key Service base Client 2 Public key Service base Stored
  29. Client Client key pair Service base URI > client identifier

  30. Server Instance 2 redirect to server /sso/authentication?originalUri=...&ssoClientIdentifier=...&signature=... RSA signing of

  31. Server authenticate 3 Use existing authentication providers

  32. Server Instance 4 redirect back Encrypted access token for server-side

    data transfer /sso/authentication/callback?originalUri=...&accessToken=...&signature=...
  33. Server Instance 5 redeem token Server-side signed request Validates token

    Get account data from server POST /sso/token/jNkmyO6oC1gm4xozKt1FR579/redeem
  34. Instance 6 redirect to secured res. Create / get account

    from data Authenticated!
  35. Features

  36. It works ;)

  37. Flow security framework integration

  38. SSO on instance is just a provider with entry point

  39. Re-use existing providers on SSO server LDAP UsernamePassword OpenID

  40. Flexible account data mapping

  41. Expiration synchronization

  42. Single-Sign-Off

  43. Account switching on server

  44. Uses advanced Flow SessionTM

  45. Sessions of instances can be destroyed remotely

  46. Sessions on server are fully manageable

  47. Sessions can use existing Cache backends Redis Riak Memcached ...

  48. Development </>

  49. Quality assurance

  50. Tests...

  51. 1 Acceptance tests with Behat

  52. Feature: Instance Login with Single Sign-On In order to access

    a secured resource on an instance (some web application) As a user of the instance I need to be able to log in using my central user account on the SSO server Background: Given I am not authenticated on the server or the instance Scenario: Protected resource on instance redirects to server login Given I am on the instance homepage When I click on the link "Go to secure action" Then I should be redirected to the server And I should see a login form Scenario: Login on server with correct credentials redirects to original URI Given I am on the instance homepage And I click on the link "Go to secure action" When I fill in "Username" with "admin" And I fill in "Password" with "password" And I press "Login" Then I should be redirected to the instance And the URI should not contain SSO parameters Scenario: Login forwards account information to instance Given I am on the instance homepage
  53. 2 Unit and functional tests

  54. Demo setup with Vagrant and Chef Solo

  55. Status and outlook

  56. Currently in integration into customer project

  57. Missing some bits: mostly Documentation

  58. Integration into external systems Maybe with SAML?

  59. Thank you!