Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
cybozu.comの認証 / cybozu.com authentication
mwatanabe
December 14, 2016
Technology
0
1k
cybozu.comの認証 / cybozu.com authentication
cybozu tech conference 2016 (
https://cybozutech2016.qloba.com/
) での発表資料です。
mwatanabe
December 14, 2016
Tweet
Share
More Decks by mwatanabe
See All by mwatanabe
Elasticsearch5.0.0で再インデクシングの高速化を探究した話
mwatanabe
2
800
Other Decks in Technology
See All in Technology
Target SDK Versionを上げない Notification runtime permission対応
napplecomputer
0
140
Scrum Fest Osaka 2022 フルリモート下でのチームビルディング
moritamasami
2
1.2k
JJUG2022_spring_Keycloak (Red Hat Single Sign-on)
tinoue
0
200
越境チャレンジの現在地 〜Epic大臣制度の今〜
yousak
0
930
Security Hub のマルチアカウント 管理・運用をサーバレスでやってみる
ch6noota
0
840
The application of formal methods in Kafka reliability engineering
line_developers
PRO
1
180
複数のスクラムチームをサポートするエンジニアリングマネジメントの話
okeicalm
0
1.1k
Custom GitHub Actions by Java
kazamori
0
290
Camp Digital 2022: tailored advice
kyliehavelock
0
150
Implementing Kubernetes operators in Java with Micronaut - TechWeek Java Summit 2022
alvarosanchez
0
120
eBPF for Security Observability
lizrice
0
170
SwiftUI Layout
auramagi
1
110
Featured
See All Featured
Fantastic passwords and where to find them - at NoRuKo
philnash
27
1.5k
Raft: Consensus for Rubyists
vanstee
126
5.4k
Ruby is Unlike a Banana
tanoku
91
9.2k
Learning to Love Humans: Emotional Interface Design
aarron
261
37k
Three Pipe Problems
jasonvnalue
89
8.7k
Scaling GitHub
holman
451
140k
Teambox: Starting and Learning
jrom
123
7.7k
Optimizing for Happiness
mojombo
365
63k
The World Runs on Bad Software
bkeepers
PRO
57
5.3k
How GitHub (no longer) Works
holman
296
140k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
39
13k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
7
1.1k
Transcript
cybozu.comͷೝূ աڈɺݱࡏɺະདྷ ΞϓϦέʔγϣϯج൫νʔϜɹล ٛ Cybozu Tech Conference 2016
ࣗݾհ • ล ٛʢΘͨͳ·͞Α͠ʣ • ΞϓϦέʔγϣϯج൫νʔϜ ϛυϧΣΞ͔ΒϑϩϯτΤϯυ·Ͱ • 2010ೖࣾ •
ʹΘ͔ւ֎αοΧʔϑΝϯͰ͢
ࠓ͢͜ͱ • cybozu.comͷϩάΠϯػೳ • ෳϓϩμΫτؒͰͷೝূใͷڞ༗ • cybozu.comͷγϯάϧαΠϯΦϯ • ࠓޙͷ՝ͱເͷ͋Δະདྷͷ
cybozu.com • B2BΫϥυαʔϏε • ̍ςφϯτ̍αϒυϝΠϯʢςφϯτ㲈ձࣾʣ • ̍ςφϯτʹෳͷϓϩμΫτ • ϩάΠϯը໘̍ςφϯτʹ͚̍ͭͩ
αϒυϝΠϯͰςφϯτΛ͚Δ
̍ςφϯτෳϓϩμΫτ corpA.cybozu.com
cybozu.comڞ௨ཧ corpA.cybozu.com
cybozu.comͷϩάΠϯ
None
cybozu.comͷϩάΠϯ • Α͋͘Δύεϫʔυೝূ • αϒυϝΠϯදࣔͰςφϯτΛࣝผՄೳ • ಛʹ͍͜͠ͱͯ͠ͳ͍ • ͨͩ͠ϩάΠϯͷηΩϡϦςΟઃఆෳࡶ
ෳࡶͳϩάΠϯͷઃఆ • ೖྗิॿ • ύεϫʔυϙϦγʔ • ΞΧϯτϩοΫΞτ • ηογϣϯ༗ޮظݶ •
SAML • ϩάΠϯࣦഊ࣌ͷϝοηʔδ
ͳͥෳࡶͳͷ͔ • ΦϯϓϨϛεϓϩμΫτͷػೳΛ࠶ݱ • ͍Ζ͍ΖͳاۀͷηΩϡϦςΟཁ݅ʹରԠ ྫ)ཧऀͱҰൠϢʔβʔͰҟͳΔύεϫʔυͷ࠷খจࣈ • ϒϥβͷਐԽʹ͍ෆཁʹͳΓͭͭ͋Δ߲ ͍ͬͯΔ =>
ఆظతͳ͓আ͕ඞཁ ྫ)ϒϥβͷύεϫʔυϚωʔδϟΛ੍ޚ͢Δઃఆ
ෳϓϩμΫτؒͷ ೝূใͷڞ༗
ೝূใͷڞ༗ʁ • ڞ௨ཧͷϩάΠϯը໘ͰϩάΠϯͨ͠Β ͯ͢ͷϓϩμΫτʹΞΫηεՄೳʹ͢Δ͜ͱ • ڞ௨ཧ͔ΒϩάΞτͨ͠Β ͯ͢ͷϓϩμΫτ͔ΒϩάΞτ͞ΕΔ͜ͱ
ݹͷ࣌
ݹͷ࣌
ݹͷ࣌ • ϒϥβͰͷϩάΠϯը໘ڞ௨ཧͷͷ͚ͩ • ΦϯϓϨϛε࣌ΛҾ͖ͣΓɺϓϩμΫτຖʹηογϣϯ ཧʢෳͷηογϣϯΫοΩʔʣ • ΦϨΦϨೝূ࿈ܞΫοΩʔͰϓϩμΫτؒSSO • ϓϩμΫτͷಠࣗΫϥΠΞϯτʢϞόΠϧͳͲʣͦΕͧΕ
Ͱೝূ • ϩάΞτϩάΞτ༻ͷ࿈ܞΫοΩʔΛు͘
ͭΒ͍ɻɻ • ΫοΩʔͰϩάΞτ͢Δʹɺͯ͢ͷϓϩμΫτʹϦΫΤε τඈ͞ͳ͍ͱ͍͚ͳ͍ • ϦΫΤετඈͳ͔ͬͨϓϩμΫτϩάΠϯঢ়ଶ͕ҡ࣋͞ΕΔ • ΦϨΦϨΫοΩʔϫϯλΠϜͰͳ͍ͷͰԿճͰ͑Δ ʢ༗ޮظݶ͋Δʣ •
ೝূܦ࿏͕ͨ͘͞Μ͋ΔͷͰηογϣϯཧ͕Ή͍ͣ ʢϢʔβʔʹඥͮ͘શηογϣϯআͱ͔ʣ
ݱ
ݱ
ݱ • ηογϣϯΫοΩʔΛ̍ͭʹ౷Ұʢڞ௨ηογϣϯʣ • ೝূใΛJSONͰKVSʹอଘͯ͠ϓϩμΫτͱڞ༗ • ڞ௨ηογϣϯͷσʔλΛมߋͰ͖Δͷڞ௨ཧ͚ͩ • ϓϩμΫτڞ௨ηογϣϯʹඥ͍ͮͨಠࣗηογϣϯͷσʔ λΛཧ͢Δ
• ϓϩμΫτͷΤϯυϙΠϯτͰϩάΠϯ͕ඞཁͳ߹ʢϞό ΠϧΞϓϦͳͲʣɺڞ௨ཧͷϩάΠϯAPIʹసૹ͢Δ
ϩάΠϯॲཧͷ౷ҰʹΑΓηογϣϯ ཧՄೳʹ
cybozu.comͷSSO
γϯάϧαΠϯΦϯ • ҰճͷϩάΠϯ͚ͩͰෳͷαʔϏεΛ͑Δ • ϩάΠϯ໊ͱύεϫʔυҰ͚֮ͭͩ͑Εྑ͍ • ଞͷαʔϏεͱcybozu.com͕SSOͰ͖Εخ͍͠ • ଞͷαʔϏεͱܨ͕ΔSSOͷͨΊʹඪ४༷ (SAML)Λcybozu.comʹ࣮ͨ͠
͍Ζ͍Ζܨ͕Δ • New Relic • Jenkins • Artifactory • Redash
ʢྡͷ੮ͷਓ͕SAMLपΓͷPR͛ͯͨʣ • etc…
SAML
SAML • OASIS͕ࡦఆͨ͠ೝূ࿈ܞͷͨΊͷ༷ • ϢʔβʔೝূαʔόʔʢIdentity Provider = IdPʣʹϩάΠϯ͢Δ͚ͩͰOK • Active
Directory Federation Services(ADFS)ΛSAML IdPͱͯ͑͠Δ • ϒϥβΛܦ༝͢Δʢϓϩτίϧ͋ΔʣͷͰcybozu.comͱADFS௨ ৴Ͱ͖ͳͯ͘ྑ͍ • ڵຯ͕͋Δํͪ͜ΒͲ͏ͧ ʮSAMLೝূ͕Ͱ͖Δ·Ͱʯhttp://blog.cybozu.io/entry/4224
SAML ϑϩʔ 1.Ϣʔβ͕cybozu.comʹΞΫηε͢Δ 2.cybozu.com͕SAMLϦΫΤετΛੜ͢Δ 3.Ϣʔβ͕cybozu.com͔ΒSAMLϦΫΤετΛ ड͚औΔ 4.IdP͕ϢʔβΛೝূ͢Δ 5.IdP͕SAMLϨεϙϯεΛੜ͢Δ 6.Ϣʔβ͕IdP͔ΒSAMLϨεϙϯεΛड͚औΔ 7.cybozu.com͕SAMLϨεϙϯεΛड͚औΓݕ
ূ͢Δ 8.SAMLϨεϙϯεͷ༰ʹ͕ͳ͍߹ Ϣʔβʔ͕cybozu.comʹϩάΠϯͨ͠ঢ়ଶʹ ͳΔ https://help.cybozu.com/ja/general/admin/saml_settings.html ΑΓҾ༻
ೝূαʔόʔ(IdP)͕ඞཁ • େ͖ͳاۀͰ͋ΕADFS͕͋Δ߹͋Δ͕ɺ SAMLͷͨΊʹADFSΛಋೖ͢Δͷॏ͍ɻ • ͓खܰʹΔͳΒIDaaSΛ͏ͷ͕ྑͦ͞͏ɻ (Okta, OneLogin, Azure ADͳͲ)
SAML·ͱΊ • SSOʹ͑Δඪ४༷ • ϒϥβΛܦ༝͢ΔͷͰɺೝূαʔόʔͱαʔϏ ε௨৴Ͱ͖ͳͯ͘ྑ͍ • ೝূαʔόʔΛཱͯΔͷେมͳͷͰɺIDaaS͔Β ࢝ΊΔͷ͕ྑ͛͞ •
ΤϯδχΞ͕͖ͳπʔϧ͍Ζ͍Ζܨ͕Δ
ࠓޙͷ՝ ※࣮ͷ༧ఆະఆͰ͢ʂ
ࠓޙͷ՝ • REST APIͷೝূํ͕ࣜಠ༷ࣗͳͷͰ࿈ܞ͕ ͍͠ • ೋཁૉೝূͷબࢶ͕গͳ͍
REST APIͷೝূํࣜ • cybozu.comʹREST API͕͋Δ • ೝূಠࣗͷHTTPϔομʔ • Ϣʔβʔ໊ͱύεϫʔυΛΤϯίʔυ͠ͳ͍ ͱ͍͚ͳ͍
• OAuthͳͲͷඪ४తͳ༷ΛऔΓೖΕ͍ͨ
ೋཁૉೝূ • cybozu.comͰೋཁૉೝূͱͯ͠ΫϥΠΞϯτূ໌ॻ͕͋Δ ͕ɺIPΞυϨε੍ݶΛಥഁ͢ΔͨΊͷཁૉͱͯ͠͏ • ΫϥΠΞϯτূ໌ॻΛWebView͔Β͏ͷΉ͍ͣ ʢϞόΠϧΤϯδχΞஊʣ • TOTPʢGoogle AuthenticatorతͳͭʣͳͲͷɺΑ͋͘Δೋ
ཁૉೝূͷબࢶ͋ͬͯྑ͍ͷͰ • FIDO U2F(ޙड़)ରԠͷυϯάϧ(yubikeyͳͲ)໘നͦ͏
ເͷ͋Δະདྷͷ
ເͷ͋Δະདྷͷ • ਓྨύεϫʔυೝূʹർฐ͍ͯ͠Δ • ύεϫʔυແ͠Ͱೝূͯ͘͠Ε·ͤΜ͔ • FIDO͕͋Δͳ͍͔ʂ
FIDO
FIDO Alliance • ύεϫʔυҎ֎ͷೝূͷ༷Λࡦఆ͍ͯ͠Δ • UAFʢύεϫʔυϨεೝূʣͱU2Fʢೋཁૉೝ ূʣͷ༷Λެ։ • ̎ͭͷ༷Λ·ͱΊͯFIDO2.0ͱ͠ɺͦΕΛجʹ ʮWeb
Authenticationʯͱͯ͠W3CͰ༷ࡦఆத https://www.w3.org/TR/webauthn/
Web Authentication • W3Cͷυϥϑτ • ϒϥβͷରԠঢ়گ·ͩ·ͩͰϓϩμΫτಋೖະདྷͷ͕ͩɻɻ • Windows HelloʢWindowsͷੜମೝূʣରԠͷEdge͔Β͓ࢼ͠ Ͱ͖Δʂ
• ͭ·ΓEdge͔ΒੜମೝূͷػೳΛࢼͤΔͱ͍͏͜ͱ • Web authentication and Windows Hello https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/device/web-authentication/
Windows Hello
Χοͱͳͬͯϓϩτ࣮ͨ͠ • Surface Pro4 • إೝূͰWindows HelloΛ͑Δ • cybozu.comʹإೝূͰϩάΠϯͩʂ •
σϞ͠·͢ 1. windows helloͷإೝূઃఆ 2. cybozu.comʹೝূσόΠεΛొ 3. cybozu.comʹإೝূͰϩάΠϯ
·ͱΊ • cybozu.comͷೝূपΓΛͬ͘͟Γͨ͠ • B2BͰ͍Ζ͍ΖͳηΩϡϦςΟཁ͕݅͋Δ • ΦϯϓϨϛεͷ༷ΛҾ͖ͣΓ͗͢Δͱ௧͍ΛݟΔ • ϩάΠϯॲཧҰՕॴʹ·ͱΊΔͱ֦ு͕༰қ •
Ϋϥυͷ͓खܰͳSSOʹIDaaS͕ྑͦ͞͏ • FIDOະདྷײ͋Δ • Զͨͪͷઓ͍͜Ε͔Βͩ
͓͠·͍