We try to describe what is a Single Sign-On, what were the reasons for it to be implemented, how did we do it at our company and what it gave us in terms of UX, Security and developer happiness.
2. OUR ROAD TO SINGLE SIGN-ON
Maciej Szkamruk (@ex3v)
• backend dev@activation team
• joined DP ~1.5 years ago
• huge fan of cooking, cheap memes
and code that really helps people
Tomasz Wojcik (@prgTW)
• backend dev@CRM team
• been with DP since dinosaurs
• worships Grumpy Cat, morning coffee
and code reviews in the middle of the night
WHO ARE WE?
3. OUR ROAD TO SINGLE SIGN-ON
We are
We help people find doctors online
WHO ARE WE?
5. OUR ROAD TO SINGLE SIGN-ON
HOW IT ALL STARTED | HISTORY
• branched off from GoldenLine
• founded to share opinions about doctors
• ads were the only source of income
• about 5 people onboard
6. OUR ROAD TO SINGLE SIGN-ON
CALENDAR - MVP THAT GOT SERIOUS | HISTORY
• first step: mockups only
• visitors were curious about it… therefore MVP
• first deals with doctors
• 2k visits booked during 1st quarter
7. OUR ROAD TO SINGLE SIGN-ON
~4 years ago
BEFORE VS. NOW | HISTORY
2k visits booked during 1st quarter
8. OUR ROAD TO SINGLE SIGN-ON
~4 years ago
2k visits booked every few hours!
today
BEFORE VS. NOW | HISTORY
2k visits booked during 1st quarter
9. OUR ROAD TO SINGLE SIGN-ON
Poland
FIRST MARKET | HISTORY
10. OUR ROAD TO SINGLE SIGN-ON
Poland
Colombia
Spain
HungaryPeru Argentina
Brazil
Czech Republic
Germany
Sweden
Ukraine
Austria
Bulgaria
France
India
Italy
Portugal
South Africa
CURRENT MARKETS | HISTORY
Chile
Turkey
Mexico
Russia
Slovakia
11. OUR ROAD TO SINGLE SIGN-ON
• over 100GB of production data
• 17M requests and 100GB of logs every day
• ~2.7M SLOC & 10k new SLOCs every week
• about 30 folks in IT & Product
LET’S TALK NUMBERS | HISTORY
12. OUR ROAD TO SINGLE SIGN-ON
LET’S TALK MONEY | HISTORY
• every startup needs money to grow
• few financing rounds, $34M raised
• $20M raised in last (series C) round
13. OUR ROAD TO SINGLE SIGN-ON
LET’S TALK MONEY | HISTORY
14. OUR ROAD TO SINGLE SIGN-ON
+
DOCTORALIA MERGE | HISTORY
15. OUR ROAD TO SINGLE SIGN-ON
+
• relational
• PHP
• monolith
• mostly non-relational
• C#
• splitted into few apps
DOCTORALIA MERGE | HISTORY
16. OUR ROAD TO SINGLE SIGN-ON
OK, BUT WHERE’S SSO IN IT?
17. OUR ROAD TO SINGLE SIGN-ON
FROM MONOLITH TO MICROSERVICES | SSO
The Ugly
Monolith
18. OUR ROAD TO SINGLE SIGN-ON
• DocPlanner is getting slower
• ~2.7M lines of code
• we want coherence between
DocPlanner and Doctoralia
FROM MONOLITH TO MICROSERVICES | SSO
19. OUR ROAD TO SINGLE SIGN-ON
CRM OpinionsAdmin tools
Search ProfileModeration
Calendar IntegrationsAPI
Questions & Answers Mobile
FROM MONOLITH TO MICROSERVICES | SSO
20. OUR ROAD TO SINGLE SIGN-ON
Authorization
CRM
Questions & Answers
OpinionsAdmin tools
Search ProfileModeration
Calendar IntegrationsAPI
Mobile
FROM MONOLITH TO MICROSERVICES | SSO
21. OUR ROAD TO SINGLE SIGN-ON
Authorization
Authentication
CRM
Questions & Answers
OpinionsAdmin tools
Search ProfileModeration
Calendar IntegrationsAPI
Mobile
FROM MONOLITH TO MICROSERVICES | SSO
22. OUR ROAD TO SINGLE SIGN-ON
Authorization
Authentication (Form, FB, VK, LDAP, GApps)
CRM
Questions & Answers
OpinionsAdmin tools
Search ProfileModeration
Calendar IntegrationsAPI
Mobile
FROM MONOLITH TO MICROSERVICES | SSO
23. OUR ROAD TO SINGLE SIGN-ON
Authentication
Is it really me?
Authorization
Am I allowed (authorized) to do that?
AUTHENTICATION VS. AUTHORIZATION | SSO
24. OUR ROAD TO SINGLE SIGN-ON
Calendar
Integrations
Authorization
Authentication
Q & A
Authorization
Authentication
Search
Profile
Authorization
Authentication
CRM
Authorization
Authentication
Opinions
Moderation
Authorization
Authentication
Admin tools
Authorization
Authentication
FROM MONOLITH TO MICROSERVICES | SSO
25. OUR ROAD TO SINGLE SIGN-ON
Calendar
Integrations
Authorization
LDAP
Q & A
Authorization
Form, FB, VK
Search
Profile
Authorization
Form, FB, VK
CRM
Authorization
LDAP, GApps
Opinions
Moderation
Authorization
Form, FB, VK
Admin tools
Authorization
LDAP, GApps
FROM MONOLITH TO MICROSERVICES | SSO
26. OUR ROAD TO SINGLE SIGN-ON
Search
Profile
Authorization
CRM
Authorization
Calendar
Integrations
Authorization
Opinions
Moderation
Authorization
Q & A
Authorization
Admin tools
Authorization
Authentication
Form, FB, VK
LDAP
GApps
FROM MONOLITH TO MICROSERVICES | SSO
27. OUR ROAD TO SINGLE SIGN-ON
A single place of login into multiple applications
(that are compatible with this Single Sign-On)
WHAT IS A SINGLE SIGN-ON | SSO
28. OUR ROAD TO SINGLE SIGN-ON
FROM MONOLITH TO MICROSERVICES | SSO
SRP
Single Responsibility Principle
29. OUR ROAD TO SINGLE SIGN-ON
FROM MONOLITH TO MICROSERVICES | SSO
SRP
Single
Responsibility
Principle
1. SSO is the only place
that authenticates clients
and users
2. Other apps and microservices
shouldn’t care about
authentication
30. OUR ROAD TO SINGLE SIGN-ON
FROM MONOLITH TO MICROSERVICES | SSO
⧖
Multiple login
methods
SSO Auth
Domain apps
or microservices
31. OUR ROAD TO SINGLE SIGN-ON
FROM MONOLITH TO MICROSERVICES | SSO
MUCH
LOGIN
METHODS
WOW
32. OUR ROAD TO SINGLE SIGN-ON
HOW TO ACHIEVE THE GOAL
(CHALLENGE WEEK)
33. OUR ROAD TO SINGLE SIGN-ON
• product folks wants sth to be done
• we (devs) want sth to be done
• tech requirements
• tech debt
REASONS FOR NEW FEATURES | CHALLENGE WEEK
34. OUR ROAD TO SINGLE SIGN-ON
THE CONCEPT | CHALLENGE WEEK
• find something you want to do
• find a companion
• one week for planning
• one week for coding
• summary day
SSO
Me & Tomek
checked
MVP
35. OUR ROAD TO SINGLE SIGN-ON
IMPLEMENTATION
(FORDEC PROCEDURE)
36. OUR ROAD TO SINGLE SIGN-ON
FACTS | FORDEC PROCEDURE
• serious plans for building microservices
• authentication layer needs to be decoupled from monolith
• authentication must work in SPA’s
• authentication must work in API’s
• ability to login via 3rd parties (Facebook, LDAP, GApps etc.)
• keeping user data in-house is preferred
• 1-week time limit
38. OUR ROAD TO SINGLE SIGN-ON
RISKS & BENEFITS | FORDEC PROCEDURE
PROPRIETARY SOLUTIONSAAS / INSTALLED SAAS
• certain amount of job already done
• learning curve
• possible limitations
• latency
• possible cost-inefficiency
• end-of-life problems (f.ex. xpect.io)
• known technologies
• full control over data
• build from scratch
• security benefits
• maintenance time
39. OUR ROAD TO SINGLE SIGN-ON
DECIDE | FORDEC PROCEDURE
We decided to build our own solution after all
(there’s always a way to switch to SaaS if needed)
40. OUR ROAD TO SINGLE SIGN-ON
MICROSERVICE SSO 3RD PARTYCLIENT
EXECUTE | FORDEC PROCEDURE
46. OUR ROAD TO SINGLE SIGN-ON
CONSPROS
• no additional requests
• SPA friendly
• easy interchangeable w/ access token
• reuses “Authorization: Bearer [token]” header
• unaware of changes
• valid forever
• cannot be invalidated
JWT PROS & CONS | EXECUTE | FORDEC PROCEDURE
47. OUR ROAD TO SINGLE SIGN-ON
EXAMPLE STACK | EXECUTE | FORDEC PROCEDURE
• Symfony 3
• FOSOAuthServer - for integrating microservices with SSO
• HWIOAuthBundle - for integrating SSO with 3rd parties
• NelmioCorsBundle - for allowing SPA’s to communicate with SSO
49. OUR ROAD TO SINGLE SIGN-ON
DEPLOYMENT STRATEGY | EXECUTE | FORDEC PROCEDURE
50. OUR ROAD TO SINGLE SIGN-ON
in-house tests
few smaller markets
big market
everywhere
DEPLOYMENT STRATEGY | EXECUTE | FORDEC PROCEDURE
feedback
feedback
feedback
adjustments
adjustments
adjustments
51. OUR ROAD TO SINGLE SIGN-ON
GATEKEEPER | EXECUTE | FORDEC PROCEDURE
GateKeeper
52. OUR ROAD TO SINGLE SIGN-ON
• manages every state of a feature
• disabled
• enabled in-house
• enabled everywhere
• separated by locale
• state switch takes seconds
• syncs with app caches
GATEKEEPER | EXECUTE | FORDEC PROCEDURE
53. OUR ROAD TO SINGLE SIGN-ON
GATEKEEPER - HOW TO USE IT? | EXECUTE | FORDEC PROCEDURE
54. OUR ROAD TO SINGLE SIGN-ON
GATEKEEPER | EXECUTE | FORDEC PROCEDURE
• Available on GitHub (ZnanyLekarz/GateKeeper)
• lightweight and cached
• integrated w/ Symfony
56. OUR ROAD TO SINGLE SIGN-ON
USER EXPERIENCE | BENEFITS
• entry point for Doctoralia
• consistent flow
• process transparency
• single-click login is a time saver
• login to every microservice via 3rd parties
• users and employees happier
57. OUR ROAD TO SINGLE SIGN-ON
SECURITY | BENEFITS
• only 1 place where users are prompted for their passwords
• microservices are unaware of users’ credentials
• a place to manage users’ accounts and login sessions
• ability to logout from many services at once
• easy user/application banning
58. OUR ROAD TO SINGLE SIGN-ON
DEVELOPER EXPERIENCE | BENEFITS
• fun and satisfaction :)
• separated codebase
• easy to connect new microservices
59. OUR ROAD TO SINGLE SIGN-ON
REMEMBER
Sometimes a week is all it takes!
60. OUR ROAD TO SINGLE SIGN-ON
THANK YOU!
docplanner.com/career
Join us!