Building an SSO platform in PHP (Zend Webinar Edition)

Building an SSO platform Ivo Jansch (@ijansch) - Egeniq March 31, 2011 - Zend WebinarThursday, March 31, 2011

About Egeniq Startup Mobile Tech Knowledge Geeks DevelopmentThursday, March 31, 2011

About Me @ijansch Developer Author Entreprenerd PHPThursday, March 31, 2011

Single Sign On Why do we need it?Thursday, March 31, 2011

We use many applications Your Your other corporate corporate application applicationThursday, March 31, 2011

Across devices and locations Your Your other corporate corporate application applicationThursday, March 31, 2011

A quick pollThursday, March 31, 2011

Level 0 - One Password To Rule Them AllThursday, March 31, 2011

1 password to rule them all Your Your other corporate corporate application applicationThursday, March 31, 2011

Level 1 - Shared Identity Using a single authentication backend for appsThursday, March 31, 2011

Shared Identity LDAP Server Your Your other corporate corporate application applicationThursday, March 31, 2011

Level 2 - OpenID Using OpenID for external Identity ManagementThursday, March 31, 2011

OpenID Flow OpenID OpenID Consumer ProviderThursday, March 31, 2011

OpenID Demo OpenID Consumer login.php OpenID Provider consume index.php .phpThursday, March 31, 2011

Protecting the secretThursday, March 31, 2011

Delegate to OpenID providerThursday, March 31, 2011

Consume the responseThursday, March 31, 2011

Caveats OpenID providers hesitant to be OpenID consumers No trust establishment between consumer and providerThursday, March 31, 2011

Level 3 - OAuth Using OAuth for external IDM and authorizationThursday, March 31, 2011

OAuth Flow OAuth OAuth Consumer ProviderThursday, March 31, 2011

Landing adjusted for OAuthThursday, March 31, 2011

OAuth ConﬁgurationThursday, March 31, 2011

Delegate auth to TwitterThursday, March 31, 2011

Consuming the responseThursday, March 31, 2011

Level 4 - SAML Creating our own Identity ProviderThursday, March 31, 2011

SAML Security Assertion Markup Language XML standard by OASIS Assertions contain: Proof of Identity Attributes Supports XML signatures and encryptionThursday, March 31, 2011

SAML Flow Auth Backend (LDAP, ...) Service Identity Provider ProviderThursday, March 31, 2011

SimpleSAMLphp Auth Backend (LDAP, ...) Identity Provider Simple Service SAML Provider SimpleSAMLPHP PHPThursday, March 31, 2011

IDP SimpleSAMLphp setupThursday, March 31, 2011

IDP Auth Source ConﬁgurationThursday, March 31, 2011

IDP Hosted ConﬁgurationThursday, March 31, 2011

IDP Remote ConﬁgurationThursday, March 31, 2011

IDP Virtual Host Apache ConﬁgThursday, March 31, 2011

Testing the IDPThursday, March 31, 2011

SP SimpleSAMLphp setupThursday, March 31, 2011

SP Auth Source ConﬁgurationThursday, March 31, 2011

SP Remote ConﬁgurationThursday, March 31, 2011

Back to our landing pageThursday, March 31, 2011

Delegate auth to the IDPThursday, March 31, 2011

Integrating 3d party apps Simplesamlphp is easy to integrateThursday, March 31, 2011

Wordpress Plugin: http://wordpress.org/extend/plugins/simplesamlphp-authentication/Thursday, March 31, 2011

MediaWiki Plugin: http://www.mediawiki.org/wiki/Extension:SAMLAuthThursday, March 31, 2011

SugarCRM Plugin: didn’t work Problem: auth structure Solution: hacking the source Options: Contact me if you need to get SugarCRM to do SSO :-) Wait for SugarCRM 6.1, it contains a working SAML plugin (/via @smalyshev)Thursday, March 31, 2011

Google Apps Requires Premier or Education Edition Conﬁgure SAML endpoint => Done! Docs: http://code.google.com/googleapps/domain/sso/ saml_reference_implementation.htmlThursday, March 31, 2011

Google AppsThursday, March 31, 2011

Making apps SSO ready Application Auth Plugin Start Logged in? Yes No Show Login Authenticate Site FormThursday, March 31, 2011

Making apps SSO ready Application Auth Plugin Start Logged in? Yes No Show Login Site Form AuthenticateThursday, March 31, 2011

Making apps SSO ready Application Auth Plugin Start Logged in? No Yes Login Form Show Login Site Form AuthenticateThursday, March 31, 2011

Conclusion What should you take away from this talk?Thursday, March 31, 2011

In your next project... You will NOT create more userids !! You WILL use standard protocols !!Thursday, March 31, 2011

Thank You ivo@egeniq.com http://www.egeniq.com @ijansch @egeniqThursday, March 31, 2011

Credits Pictures used in this presentation are creative commons attribution licensed pictures. Here are the owners and the URLS where the originals can be found: ‘Multiple Padlock Farm Gate’ by Mike Baird - http://www.flickr.com/photos/mikebaird/2354116406/ ‘Love Locks’ by James Manners - http://www.flickr.com/photos/jmanners/443421045/ ‘Seguridad’ by Juan J. Martinez - http://www.flickr.com/photos/reidrac/4696900602/ ‘Hotel Keys by Henri Bergius - http://www.flickr.com/photos/bergie/3468886680/ ‘OAuth Shiny’ by Chris Messina - http://www.flickr.com/photos/factoryjoe/3343062926/ ‘Take a number please’ by Andres Rueda - http://www.flickr.com/photos/andresrueda/3259487071/ ’38/365 Puzzled’ by Mykl Roventine - http://www.flickr.com/photos/myklroventine/3261364899/ ‘Visiting Portage’ by Jeremy Bronson - http://www.flickr.com/photos/jbrons/4444017497/ ‘_dsc8037’ by Sergey Vladimirov - http://www.flickr.com/photos/vlsergey/4138735474/ Application logo’s and other icons have been used under the assumption that use of them in this context is considered fair use.Thursday, March 31, 2011

https://intra.datafisher.com	2
http://new.jansch.nl	1
http://paper.li	1
http://a0.twimg.com	1
http://www.linkedin.com	1

Building an SSO platform in PHP (Zend Webinar Edition)

by Ivo Jansch

Accessibility

Categories

Upload Details

Usage Rights

5 Embeds 6

Statistics