Single Sign On with TYPO3 Flow

Transcript

1. Single Sign On with Inspiring Flow 2013

2. @hlubek Christopher Hlubek

3. Work

4. TYPO3 Flow Surf Neos ...

5. Sign-On Sign-In Authentication Authorization Single-Sign-On

6. Authentication

7. Who ? >Identity

8. j.doe ****** Login j.doe

9. Username / Password over and over ...

10. What do we repeat in every new webapp?

11. = +

12. „Can we store all accounts centrally and login once and

    forever?“ [enter customer name here] quote

13. Service oriented apps Large Monolithic Unmaintainable App monster Focussed Clean

    Small Service Apps

14. Requirements Seamless login Flow integration Server and client Expiration sync

15. Existing SSO solutions CAS Shibboleth SAML 2.0 OpenId OAuth

16. Peek into the SAML 2.0 spec

17. None

18. We built a custom solution...

19. Why? Ease of use Reduce complexity Flexibility

20. Flowpack.SingleSignOn.*

21. In cooperation with Robert Lemke

22. Basic architecture Flow app SSO Server package Your domain package

    The

23. A roundtrip

24. Server Instance 1 access secured resource 2 redirect to server

    authenticate 3 5 redeem token 4 redirect back 6 redirect to secured res.

25. Confused?

26. Demo

27. Some more detail

28. Server Server key pair Service base URI > server identifier

    Client 1 Public key Service base Client 2 Public key Service base Stored

29. Client Client key pair Service base URI > client identifier

    Stored

30. Server Instance 2 redirect to server /sso/authentication?originalUri=...&ssoClientIdentifier=...&signature=... RSA signing of

    requests

31. Server authenticate 3 Use existing authentication providers

32. Server Instance 4 redirect back Encrypted access token for server-side

    data transfer /sso/authentication/callback?originalUri=...&accessToken=...&signature=...

33. Server Instance 5 redeem token Server-side signed request Validates token

    Get account data from server POST /sso/token/jNkmyO6oC1gm4xozKt1FR579/redeem

34. Instance 6 redirect to secured res. Create / get account

    from data Authenticated!

35. Features

36. It works ;)

37. Flow security framework integration

38. SSO on instance is just a provider with entry point

39. Re-use existing providers on SSO server LDAP UsernamePassword OpenID

40. Flexible account data mapping

41. Expiration synchronization

42. Single-Sign-Off

43. Account switching on server

44. Uses advanced Flow SessionTM

45. Sessions of instances can be destroyed remotely

46. Sessions on server are fully manageable

47. Sessions can use existing Cache backends Redis Riak Memcached ...

48. Development </>

49. Quality assurance

50. Tests...

51. 1 Acceptance tests with Behat

52. Feature: Instance Login with Single Sign-On In order to access

    a secured resource on an instance (some web application) As a user of the instance I need to be able to log in using my central user account on the SSO server Background: Given I am not authenticated on the server or the instance Scenario: Protected resource on instance redirects to server login Given I am on the instance homepage When I click on the link "Go to secure action" Then I should be redirected to the server And I should see a login form Scenario: Login on server with correct credentials redirects to original URI Given I am on the instance homepage And I click on the link "Go to secure action" When I fill in "Username" with "admin" And I fill in "Password" with "password" And I press "Login" Then I should be redirected to the instance And the URI should not contain SSO parameters Scenario: Login forwards account information to instance Given I am on the instance homepage

53. 2 Unit and functional tests

54. Demo setup with Vagrant and Chef Solo

55. Status and outlook

56. Currently in integration into customer project

57. Missing some bits: mostly Documentation

58. Integration into external systems Maybe with SAML?

59. Thank you!