Single Sign On with Inspiring Flow 2013 

@hlubek Christopher Hlubek 

Work 

TYPO3 Flow Surf Neos ... 

Sign-On Sign-In Authentication Authorization Single-Sign-On 

Authentication 

Who ? >Identity 

j.doe ****** Login j.doe 

Username / Password over and over ... 

What do we repeat in every new webapp? 

= + 

„Can we store all accounts centrally and login once and forever?“ [enter customer name here] quote 

Service oriented apps Large Monolithic Unmaintainable App monster Focussed Clean Small Service Apps 

Requirements Seamless login Flow integration Server and client Expiration sync 

Existing SSO solutions CAS Shibboleth SAML 2.0 OpenId OAuth 

Peek into the SAML 2.0 spec 

No content

We built a custom solution... 

Why? Ease of use Reduce complexity Flexibility 

Flowpack.SingleSignOn.* 

In cooperation with Robert Lemke 

Basic architecture Flow app SSO Server package Your domain package The

A roundtrip 

Server Instance 1 access secured resource 2 redirect to server authenticate 3 5 redeem token 4 redirect back 6 redirect to secured res. 

Confused? 

Demo 

Some more detail 

Server Server key pair Service base URI > server identifier Client 1 Public key Service base Client 2 Public key Service base Stored

Client Client key pair Service base URI > client identifier Stored

Server Instance 2 redirect to server /sso/authentication?originalUri=...&ssoClientIdentifier=...&signature=... RSA signing of requests 

Server authenticate 3 Use existing authentication providers 

Server Instance 4 redirect back Encrypted access token for server-side data transfer /sso/authentication/callback?originalUri=...&accessToken=...&signature=... 

Server Instance 5 redeem token Server-side signed request Validates token Get account data from server POST /sso/token/jNkmyO6oC1gm4xozKt1FR579/redeem 

Instance 6 redirect to secured res. Create / get account from data Authenticated! 

Features 

It works ;) 

Flow security framework integration 

SSO on instance is just a provider with entry point 

Re-use existing providers on SSO server LDAP UsernamePassword OpenID 

Flexible account data mapping 

Expiration synchronization 

Single-Sign-Off 

Account switching on server 

Uses advanced Flow SessionTM 

Sessions of instances can be destroyed remotely 

Sessions on server are fully manageable 

Sessions can use existing Cache backends Redis Riak Memcached ... 

Development 

Quality assurance 

Tests... 

1 Acceptance tests with Behat 

Feature: Instance Login with Single Sign-On In order to access a secured resource on an instance (some web application) As a user of the instance I need to be able to log in using my central user account on the SSO server Background: Given I am not authenticated on the server or the instance Scenario: Protected resource on instance redirects to server login Given I am on the instance homepage When I click on the link "Go to secure action" Then I should be redirected to the server And I should see a login form Scenario: Login on server with correct credentials redirects to original URI Given I am on the instance homepage And I click on the link "Go to secure action" When I fill in "Username" with "admin" And I fill in "Password" with "password" And I press "Login" Then I should be redirected to the instance And the URI should not contain SSO parameters Scenario: Login forwards account information to instance Given I am on the instance homepage 

2 Unit and functional tests 

Demo setup with Vagrant and Chef Solo 

Status and outlook 

Currently in integration into customer project 

Missing some bits: mostly Documentation 

Integration into external systems Maybe with SAML? 

Thank you!