Single Sign On in Ruby - Enterprise Ready!

Transcript

1. Single Sign On Enterprizzzey ready! Nikos Dimitrakopoulos | @nikosd

2. Single Sign On (really) • Centralized (almost) authentication • Login

   once - be logged-in in multiple services • More than just "no password required" • Single Log Out • Actual "authenticator" can be an outsider (Facebook, Twitter, or whatever...)

3. shamelessy stolen from http://merbist.com/2012/04/04/building-and-implementing-a-single-sign-on- solution/

4. Additional specs • KISS (reaaaaally simple) • DRY • Modular

   • Extensible • Ruby!

5. Components • Standard • Ruby implementation for standard • An

   actual *abstract* server

6. Standards • OpenID • OAuth • CAS • Shibboleth •

   SAML • Custom

7. OpenID • Decentralization of authentication • Not about Single Sign

   On

8. Standards • OpenID • OAuth • CAS • Shibboleth •

   SAML • Custom

9. OAuth • Authorization • NOT authentication

10. Standards • OpenID • OAuth • CAS • Shibboleth •

    SAML • Custom

11. CAS • Not bad... • With a lot of free

    implementations : ◦ RubyCAS-Server ◦ Jasig CAS (Java) ◦ ... ◦

12. Standards • OpenID • OAuth • CAS • Shibboleth •

    SAML • Custom

13. Shibboleth • Actually got integrated in SAML 2.0...

14. Standards • OpenID • OAuth • CAS • Shibboleth •

    SAML 2.0 • Custom

15. SAML (2.0) • Complex • XML based • (Unhappy face

    here...)

16. SAML (2.0) • Complex • XML based • (Unhappy face

    here...) But : • Really the only de-facto standard • Implemented / supported by : ◦ Google ◦ Microsoft ◦ Oracle ◦ ...

17. Standards • OpenID • OAuth • CAS • Shibboleth •

    SAML 2.0 • Custom

18. Custom • http://merbist.com/2012/04/04/building-and- implementing-a-single-sign-on-solution/ • http://blog.joshsoftware. com/2010/12/16/multiple-applications-with- devise-omniauth-and-single-sign-on/ No thanks...

19. Standards • OpenID • OAuth • CAS • Shibboleth •

    SAML 2.0 • Custom

20. CAS vs SAML 2.0 • Let's go for the interoperability....

    • And yes, I suck at XML

21. Standards • OpenID • OAuth • CAS • Shibboleth •

    SAML 2.0 • Custom

22. RSAML • Wrapper library around SAML 2.0 • Pure ruby

    • Most of the functionality required • Untouched for 2 years • Now maintained at github.com:rsaml/rsaml • Missing some functionality...

23. Server (codename "russo") • The actual "server" thing • WIP

    (unreleased code yet)

24. Russo • Rails 3 engine • Reeeeeaaally KISS • Actually

    HTTP to SAML 2.0 library • SAML 2.0 logic in RSAML • No actual auth logic inside : ◦ Do it on the mounted app ◦ Use OmniAuth!!!

25. Russo • Status : Core functionality should be there during

    this week • Use cases : Pretty open since most of the functionality is done on the mounted app • Learning curve : Pretty high - understanding SAML is required

26. Why this presentation??? Please help!!! :) • Finish up RSAML

    ◦ XML Signing ◦ Unimplemented features • Complete Russo ◦ Single Log Out ◦ Support for other use cases ◦ Documentation