Upgrade to Pro — share decks privately, control downloads, hide ads and more …

cybozu.comの認証 / cybozu.com authentication

mwatanabe
December 14, 2016
Technology
0
1.1k

cybozu.comの認証 / cybozu.com authentication

cybozu tech conference 2016 (https://cybozutech2016.qloba.com/) での発表資料です。

mwatanabe

December 14, 2016
Tweet

More Decks by mwatanabe

See All by mwatanabe
Elasticsearch5.0.0で再インデクシングの高速化を探究した話
mwatanabe
2
810

Other Decks in Technology

See All in Technology
Raspberry Pi Camera 3 介紹
piepie_tw
PRO
0
140
私見「UNIXの考え方」/20230124-kameda-unix-phylosophy
opelab
0
160
AI Services 概要 / AI Services overview
oracle4engineer
PRO
0
170
cdk deployに必要な権限ってなんだ?
kinyok
0
160
SignalR を使ったアプリケーション開発をより快適に!
nenonaninu
0
610
AI Builderについて
miyakemito
0
890
Hatena Engineer Seminar #23 「チームとプロダクトを育てる Mackerel 開発合宿」
arthur1
0
370
オンプレk8sとEKSの並行運用の実際
ch1aki
0
260
NGINXENG JP#2 - 3-NGINX Plus・プロダクトのアップデート
hiropo20
0
220
Airdrop for Open Source Projects
epicsdao
0
670
ラズパイとGASで加湿器の消し忘れをLINEでリマインド&操作
minako__ph
0
140
Multi-Cloud Gatewayでデータを統治せよ!/ Data Federation with MCG
tutsunom
1
220

Featured

See All Featured
How GitHub Uses GitHub to Build GitHub
holman
465
280k
Build The Right Thing And Hit Your Dates
maggiecrowley
22
1.4k
Atom: Resistance is Futile
akmur
256
24k
A designer walks into a library…
pauljervisheath
199
16k
Art, The Web, and Tiny UX
lynnandtonic
284
18k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
4 Signs Your Business is Dying
shpigford
171
20k
Building an army of robots
kneath
301
40k
How to name files
jennybc
47
73k
Reflections from 52 weeks, 52 projects
jeffersonlam
338
18k
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
128
8.8k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
657
120k

Transcript

  1. cybozu.comͷೝূ աڈɺݱࡏɺະདྷ ΞϓϦέʔγϣϯج൫νʔϜɹ౉ล ੓ٛ Cybozu Tech Conference 2016

  2. ࣗݾ঺հ • ౉ล ੓ٛʢΘͨͳ΂·͞Α͠ʣ • ΞϓϦέʔγϣϯج൫νʔϜ
 ϛυϧ΢ΣΞ͔ΒϑϩϯτΤϯυ·Ͱ • 2010೥ೖࣾ •

    ʹΘ͔ւ֎αοΧʔϑΝϯͰ͢ 

  3. ࠓ೔࿩͢͜ͱ • cybozu.comͷϩάΠϯػೳ • ෳ਺ϓϩμΫτؒͰͷೝূ৘ใͷڞ༗ • cybozu.comͷγϯάϧαΠϯΦϯ • ࠓޙͷ՝୊ͱເͷ͋Δະདྷͷ࿩ 

  4. cybozu.com • B2BΫϥ΢υαʔϏε • ̍ςφϯτ̍αϒυϝΠϯʢςφϯτ㲈ձࣾʣ • ̍ςφϯτ಺ʹෳ਺ͷϓϩμΫτ • ϩάΠϯը໘͸̍ςφϯτʹ͚̍ͭͩ 

  5. αϒυϝΠϯͰςφϯτΛ෼͚Δ 

  6. ̍ςφϯτෳ਺ϓϩμΫτ  corpA.cybozu.com

  7. cybozu.comڞ௨؅ཧ  corpA.cybozu.com

  8. cybozu.comͷϩάΠϯ

  9. None

  10. cybozu.comͷϩάΠϯ • Α͋͘Δύεϫʔυೝূ • αϒυϝΠϯදࣔͰςφϯτΛࣝผՄೳ • ಛʹ೉͍͜͠ͱ͸ͯ͠ͳ͍ • ͨͩ͠ϩάΠϯͷηΩϡϦςΟઃఆ͸ෳࡶ 

  11. ෳࡶͳϩάΠϯͷઃఆ • ೖྗิॿ • ύεϫʔυϙϦγʔ • ΞΧ΢ϯτϩοΫΞ΢τ • ηογϣϯ༗ޮظݶ •

    SAML • ϩάΠϯࣦഊ࣌ͷϝοηʔδ 

  12. ͳͥෳࡶͳͷ͔ • ΦϯϓϨϛεϓϩμΫτͷػೳΛ࠶ݱ • ͍Ζ͍ΖͳاۀͷηΩϡϦςΟཁ݅ʹରԠ
 ྫ)؅ཧऀͱҰൠϢʔβʔͰҟͳΔύεϫʔυͷ࠷খจࣈ਺ • ϒϥ΢βͷਐԽʹ൐͍ෆཁʹͳΓͭͭ͋Δ߲ ໨΋࢒͍ͬͯΔ =>

    ఆظతͳ͓૟আ͕ඞཁ
 ྫ)ϒϥ΢βͷύεϫʔυϚωʔδϟΛ੍ޚ͢Δઃఆ 

  13. ෳ਺ϓϩμΫτؒͷ ೝূ৘ใͷڞ༗

  14. ೝূ৘ใͷڞ༗ʁ • ڞ௨؅ཧͷϩάΠϯը໘ͰϩάΠϯͨ͠Β
 ͢΂ͯͷϓϩμΫτʹΞΫηεՄೳʹ͢Δ͜ͱ • ڞ௨؅ཧ͔ΒϩάΞ΢τͨ͠Β
 ͢΂ͯͷϓϩμΫτ͔ΒϩάΞ΢τ͞ΕΔ͜ͱ 

  15. ݹͷ࣌୅

  16. ݹͷ࣌୅ 

  17. ݹͷ࣌୅ • ϒϥ΢βͰͷϩάΠϯը໘͸ڞ௨؅ཧͷ΋ͷ͚ͩ • ΦϯϓϨϛε࣌୅ΛҾ͖ͣΓɺϓϩμΫτຖʹηογϣϯ؅ ཧʢෳ਺ͷηογϣϯΫοΩʔʣ • ΦϨΦϨೝূ࿈ܞΫοΩʔͰϓϩμΫτؒSSO • ϓϩμΫτͷಠࣗΫϥΠΞϯτʢϞόΠϧͳͲʣ͸ͦΕͧΕ

    Ͱೝূ • ϩάΞ΢τ͸ϩάΞ΢τ༻ͷ࿈ܞΫοΩʔΛు͘ 

  18. ͭΒ͍ɻɻ • ΫοΩʔͰϩάΞ΢τ͢Δʹ͸ɺ͢΂ͯͷϓϩμΫτʹϦΫΤε τඈ͹͞ͳ͍ͱ͍͚ͳ͍ • ϦΫΤετඈ͹ͳ͔ͬͨϓϩμΫτ͸ϩάΠϯঢ়ଶ͕ҡ࣋͞ΕΔ • ΦϨΦϨΫοΩʔ͸ϫϯλΠϜͰ͸ͳ͍ͷͰԿճͰ΋࢖͑Δ
 ʢ༗ޮظݶ͸͋Δʣ •

    ೝূܦ࿏͕ͨ͘͞Μ͋ΔͷͰηογϣϯ؅ཧ͕Ή͍ͣ
 ʢϢʔβʔʹඥͮ͘શηογϣϯ࡟আͱ͔ʣ 

  19. ݱ୅

  20. ݱ୅ 

  21. ݱ୅ • ηογϣϯΫοΩʔΛ̍ͭʹ౷Ұʢڞ௨ηογϣϯʣ • ೝূ৘ใΛJSONͰKVSʹอଘͯ͠ϓϩμΫτͱڞ༗ • ڞ௨ηογϣϯͷσʔλΛมߋͰ͖Δͷ͸ڞ௨؅ཧ͚ͩ • ϓϩμΫτ͸ڞ௨ηογϣϯʹඥ͍ͮͨಠࣗηογϣϯͷσʔ λΛ؅ཧ͢Δ

    • ϓϩμΫτͷΤϯυϙΠϯτͰϩάΠϯ͕ඞཁͳ৔߹ʢϞό ΠϧΞϓϦͳͲʣ͸ɺڞ௨؅ཧͷϩάΠϯAPIʹసૹ͢Δ 

  22. ϩάΠϯॲཧͷ౷ҰʹΑΓηογϣϯ؅ ཧ΋Մೳʹ 

  23. cybozu.comͷSSO

  24. γϯάϧαΠϯΦϯ • ҰճͷϩάΠϯ͚ͩͰෳ਺ͷαʔϏεΛ࢖͑Δ • ϩάΠϯ໊ͱύεϫʔυ͸Ұ͚֮ͭͩ͑Ε͹ྑ͍ • ଞͷαʔϏεͱcybozu.com͕SSOͰ͖Ε͹خ͍͠ • ଞͷαʔϏεͱܨ͕ΔSSOͷͨΊʹඪ४࢓༷ (SAML)Λcybozu.comʹ࣮૷ͨ͠

    

  25. ͍Ζ͍Ζܨ͕Δ • New Relic • Jenkins • Artifactory • Redash


    ʢྡͷ੮ͷਓ͕SAMLपΓͷPR౤͛ͯͨʣ • etc… 

  26. SAML

  27. SAML • OASIS͕ࡦఆͨ͠ೝূ࿈ܞͷͨΊͷ࢓༷ • Ϣʔβʔ͸ೝূαʔόʔʢIdentity Provider = IdPʣʹϩάΠϯ͢Δ͚ͩͰOK • Active

    Directory Federation Services(ADFS)ΛSAML IdPͱͯ͠࢖͑Δ • ϒϥ΢βΛܦ༝͢Δʢϓϩτίϧ΋͋ΔʣͷͰcybozu.comͱADFS͸௚઀௨ ৴Ͱ͖ͳͯ͘΋ྑ͍ • ڵຯ͕͋Δํ͸ͪ͜Β΋Ͳ͏ͧ
 ʮSAMLೝূ͕Ͱ͖Δ·Ͱʯhttp://blog.cybozu.io/entry/4224 

  28. SAML ϑϩʔ 1.Ϣʔβ͕cybozu.comʹΞΫηε͢Δ 2.cybozu.com͕SAMLϦΫΤετΛੜ੒͢Δ 3.Ϣʔβ͕cybozu.com͔ΒSAMLϦΫΤετΛ ड͚औΔ 4.IdP͕ϢʔβΛೝূ͢Δ 5.IdP͕SAMLϨεϙϯεΛੜ੒͢Δ 6.Ϣʔβ͕IdP͔ΒSAMLϨεϙϯεΛड͚औΔ 7.cybozu.com͕SAMLϨεϙϯεΛड͚औΓݕ

    ূ͢Δ 8.SAMLϨεϙϯεͷ಺༰ʹ໰୊͕ͳ͍৔߹͸ Ϣʔβʔ͕cybozu.comʹϩάΠϯͨ͠ঢ়ଶʹ ͳΔ  https://help.cybozu.com/ja/general/admin/saml_settings.html ΑΓҾ༻

  29. ೝূαʔόʔ(IdP)͕ඞཁ • େ͖ͳاۀͰ͋Ε͹ADFS͕͋Δ৔߹΋͋Δ͕ɺ SAMLͷͨΊʹADFSΛಋೖ͢Δͷ͸ॏ͍ɻ • ͓खܰʹ΍ΔͳΒIDaaSΛ࢖͏ͷ͕ྑͦ͞͏ɻ
 (Okta, OneLogin, Azure ADͳͲ)

    

  30. SAML·ͱΊ • SSOʹ࢖͑Δඪ४࢓༷ • ϒϥ΢βΛܦ༝͢ΔͷͰɺೝূαʔόʔͱαʔϏ ε͸௚઀௨৴Ͱ͖ͳͯ͘΋ྑ͍ • ೝূαʔόʔΛཱͯΔͷ͸େมͳͷͰɺIDaaS͔Β ࢝ΊΔͷ͕ྑ͛͞ •

    ΤϯδχΞ͕޷͖ͳπʔϧ΋͍Ζ͍Ζܨ͕Δ 

  31. ࠓޙͷ՝୊ ※࣮૷ͷ༧ఆ͸ະఆͰ͢ʂ

  32. ࠓޙͷ՝୊ • REST APIͷೝূํ͕ࣜಠࣗ࢓༷ͳͷͰ࿈ܞ͕ ೉͍͠ • ೋཁૉೝূͷબ୒ࢶ͕গͳ͍ 

  33. REST APIͷೝূํࣜ • cybozu.comʹ͸REST API͕͋Δ • ೝূ͸ಠࣗͷHTTPϔομʔ • Ϣʔβʔ໊ͱύεϫʔυΛΤϯίʔυ͠ͳ͍ ͱ͍͚ͳ͍

    • OAuthͳͲͷඪ४తͳ࢓༷ΛऔΓೖΕ͍ͨ 

  34. ೋཁૉೝূ • cybozu.comͰ͸ೋཁૉೝূͱͯ͠ΫϥΠΞϯτূ໌ॻ͕͋Δ ͕ɺIPΞυϨε੍ݶΛಥഁ͢ΔͨΊͷཁૉͱͯ͠࢖͏ • ΫϥΠΞϯτূ໌ॻΛWebView͔Β࢖͏ͷ͸Ή͍ͣ
 ʢϞόΠϧΤϯδχΞஊʣ • TOTPʢGoogle Authenticatorతͳ΍ͭʣͳͲͷɺΑ͋͘Δೋ

    ཁૉೝূͷબ୒ࢶ΋͋ͬͯྑ͍ͷͰ͸ • FIDO U2F(ޙड़)ରԠͷυϯάϧ(yubikeyͳͲ)΋໘നͦ͏ 

  35. ເͷ͋Δະདྷͷ࿩

  36. ເͷ͋Δະདྷͷ࿩ • ਓྨ͸ύεϫʔυೝূʹർฐ͍ͯ͠Δ • ύεϫʔυແ͠Ͱೝূͯ͘͠Ε·ͤΜ͔ • FIDO͕͋Δ΍ͳ͍͔ʂ 

  37. FIDO

  38. FIDO Alliance • ύεϫʔυҎ֎ͷೝূͷ࢓༷Λࡦఆ͍ͯ͠Δ • UAFʢύεϫʔυϨεೝূʣͱU2Fʢೋཁૉೝ ূʣͷ࢓༷Λެ։ • ̎ͭͷ࢓༷Λ·ͱΊͯFIDO2.0ͱ͠ɺͦΕΛجʹ ʮWeb

    Authenticationʯͱͯ͠W3CͰ࢓༷ࡦఆத 
 https://www.w3.org/TR/webauthn/ 

  39. Web Authentication • W3Cͷυϥϑτ • ϒϥ΢βͷରԠঢ়گ͸·ͩ·ͩͰϓϩμΫτಋೖ͸ະདྷͷ࿩͕ͩɻɻ • Windows HelloʢWindowsͷੜମೝূʣରԠ୺຤ͷEdge͔Β͓ࢼ͠ Ͱ͖Δʂ

    • ͭ·Γ͸Edge͔ΒੜମೝূͷػೳΛࢼͤΔͱ͍͏͜ͱ • Web authentication and Windows Hello
 https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/device/web-authentication/ 

  40. Windows Hello 

  41. Χοͱͳͬͯϓϩτ࣮૷ͨ͠ • Surface Pro4 • إೝূͰWindows HelloΛ࢖͑Δ • cybozu.comʹإೝূͰϩάΠϯͩʂ •

    σϞ͠·͢
 1. windows helloͷإೝূઃఆ
 2. cybozu.comʹೝূσόΠεΛొ࿥
 3. cybozu.comʹإೝূͰϩάΠϯ 

  42. ·ͱΊ • cybozu.comͷೝূपΓΛͬ͘͟Γ࿩ͨ͠ • B2BͰ͸͍Ζ͍ΖͳηΩϡϦςΟཁ͕݅͋Δ • ΦϯϓϨϛεͷ࢓༷ΛҾ͖ͣΓ͗͢Δͱ௧͍໨ΛݟΔ • ϩάΠϯॲཧ͸ҰՕॴʹ·ͱΊΔͱ֦ு͕༰қ •

    Ϋϥ΢υͷ͓खܰͳSSOʹ͸IDaaS͕ྑͦ͞͏ • FIDO͸ະདྷײ͋Δ • Զͨͪͷઓ͍͸͜Ε͔Βͩ 

  43. ͓͠·͍