Single sign-on

Single sign-on

Comparison of single sign-on solutions like Active Directory, LDAP and Kerberos, focusing mainly on OpenID and CAS.

4885da39b4bc6628c5599eb9253dcf32?s=128

Marek Stępniowski

August 08, 2011
Tweet

Transcript

  1. MAREK STĘPNIOWSKI @mstepniowski

  2. None
  3. SINGLE SIGN-ON

  4. None
  5. None
  6. None
  7. Redmine - zarządzanie projektami redmine.nowoczesnapolska.org.pl Platforma Redakcyjna redakcja.wolnelektury.pl

  8. Redmine - zarządzanie projektami redmine.nowoczesnapolska.org.pl Platforma Redakcyjna redakcja.wolnelektury.pl Wolne Lektury

    wolnelektury.pl Wolne Podręczniki wiki.wolnepodreczniki.pl Blog nowoczesnapolska.org.pl
  9. •Kerberos •LDAP •Active Directory

  10. We don’t need no stinkin’ protocols! “

  11. •CAS •OpenID •OAuth

  12. CAS Jasig

  13. None
  14. redirect

  15. Login: ________ Pass: ________

  16. Login: marek Pass: ********

  17. redirect (with token)

  18. check token

  19. yes marek no

  20. None
  21. FEATURES • Centralized - all passwords are stored in one

    place • Subsequent logins can happen without user interaction • Easy to implement
  22. None
  23. GATEWAY AUTH (accessing public webpage)

  24. GATEWAY AUTH redirect

  25. GATEWAY AUTH redirect (with token) Note We don’t show the

    login form, even if the user is not logged in
  26. GATEWAY AUTH check token

  27. GATEWAY AUTH yes marek no

  28. GATEWAY AUTH If authentication was succesful serve the modified page

  29. None
  30. JAVASCRIPT AUTH

  31. SINGLE SIGN-OFF

  32. SINGLE SIGN-OFF Sign off

  33. SINGLE SIGN-OFF But... It doesn’t scale! Facebook uses delayed single

    sign-off: • First cookie is long lived and keeps the user session • Second cookie required to perform API calls is short lived and needs to be refreshed using the first cookie • Signing off from Facebook deletes both cookies
  34. CAS 2.0

  35. <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>marek</cas:user> </cas:authenticationSuccess> </cas:serviceResponse> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code="INVALID_TICKET">

    Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure> </cas:serviceResponse> Oh hai, XML!
  36. <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>marek</cas:user> <cas:proxyGrantingTicket> PGTIOU-84678-8a9d... </cas:proxyGrantingTicket> </cas:authenticationSuccess> </cas:serviceResponse> <cas:serviceResponse

    xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code="INVALID_TICKET"> Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure> </cas:serviceResponse> Oh hai, XML!
  37. <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>marek</cas:user> <cas:proxyGrantingTicket> PGTIOU-84678-8a9d... </cas:proxyGrantingTicket> <fullName>Marek Stępniowski</fullName> <isAdmin>yes<isAdmin>

    </cas:authenticationSuccess> </cas:serviceResponse> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code="INVALID_TICKET"> Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure> </cas:serviceResponse> Oh hai, XML!
  38. CAS 3.0

  39. STUCK IN A LIMBO Adds attribute exchange (most clients implement

    it as an extension of 2.0)
  40. • Django https://github.com/zuber/django-cas-provider https://github.com/zuber/django-cas-consumer • Python https://wiki.jasig.org/display/CASC/Pycas • Ruby http://code.google.com/p/rubycas-server/

    http://code.google.com/p/rubycas-client/ +many more
  41. • Django https://github.com/zuber/django-cas-provider https://github.com/zuber/django-cas-consumer • Python https://wiki.jasig.org/display/CASC/Pycas The simplest single

    sign-on solution available
  42. None
  43. None
  44. OpenID: ________

  45. OpenID: stepniowski.com

  46. redirect stepniowski.com

  47. Login: ________ Pass: ________ stepniowski.com

  48. Login: marek Pass: ******** stepniowski.com

  49. redirect (with token) stepniowski.com

  50. check token stepniowski.com

  51. yes|no stepniowski.com

  52. stepniowski.com

  53. FEATURES Strangely similar to CAS

  54. FEATURES • Decentralized - you don’t need to store passwords

    at all • Single sign-on but not single sign-in • Hard to implement - delegation requires an HTML parser
  55. openid.sreg openid.ax

  56. 2.0

  57. • Django https://github.com/omab/django-social-auth • Python https://github.com/openid/python-openid • Ruby https://github.com/openid/ruby-openid +many

    more
  58. COMPARISON CAS OpenID • Centralized • Single sign-on and sign-in

    • Easy to implement • Decentralized • Only single sign-on • Hard to implement • Attribute exchange (CAS 3.0) • Single sign-off • Gateway authentication • openid.sreg and openid.ax • Single sign-off • Browser extensions
  59. None
  60. ASK FOR IT And I will create a separate presentation

  61. MAREK STĘPNIOWSKI @mstepniowski