Building an SSO platform in php (Zendcon 2010)

Building an SSO platform Ivo Jansch - Egeniq November 4, 2010 - Zendcon

About Egeniq Startup Mobile Tech Knowledge Geeks Development

About Me @ijansch Developer Author Entreprenerd PHP

Single Sign On Why do we need it?

We use many applications Your Your other corporate corporate application application

Across devices and locations Your Your other corporate corporate application application

A quick poll

Level 0 - One Password To Rule Them All

1 password to rule them all Your Your other corporate corporate application application

Level 1 - Shared Identity Using a single authentication backend for apps

Shared Identity LDAP Server Your Your other corporate corporate application application

Level 2 - OpenID Using OpenID for external Identity Management

OpenID Flow OpenID OpenID Consumer Provider

OpenID Demo OpenID Consumer login.php OpenID Provider consume index.php .php

Protecting the secret

Delegate to OpenID provider

Consume the response

Caveats OpenID providers hesitant to be OpenID consumers No trust establishment between consumer and provider

Level 3 - OAuth Using OAuth for external IDM and authorization

OAuth Flow OAuth OAuth Consumer Provider

Landing adjusted for OAuth

OAuth Conﬁguration

Delegate auth to Twitter

Consuming the response

Level 4 - SAML Creating our own Identity Provider

SAML Security Assertion Markup Language XML standard by OASIS Assertions contain: Proof of Identity Attributes Supports XML signatures and encryption

SAML Flow Auth Backend (LDAP, ...) Service Identity Provider Provider

SimpleSAMLphp Auth Backend (LDAP, ...) Identity Provider Simple Service SAML Provider SimpleSAMLPHP PHP

IDP SimpleSAMLphp setup

IDP Auth Source Conﬁguration

IDP Hosted Conﬁguration

IDP Remote Conﬁguration

IDP Virtual Host Apache Conﬁg

Testing the IDP

SP SimpleSAMLphp setup

SP Auth Source Conﬁguration

SP Remote Conﬁguration

Back to our landing page

Delegate auth to the IDP

Integrating 3d party apps Simplesamlphp is easy to integrate

Wordpress Plugin: http://wordpress.org/extend/plugins/simplesamlphp-authentication/

MediaWiki Plugin: http://www.mediawiki.org/wiki/Extension:SAMLAuth

SugarCRM Plugin: didn’t work Problem: auth structure Solution: hacking the source Options: Contact me if you need to get SugarCRM to do SSO :-) Wait for SugarCRM 6.1, it contains a working SAML plugin (/via @smalyshev)

Google Apps Requires Premier or Education Edition Conﬁgure SAML endpoint => Done! Docs: http://code.google.com/googleapps/domain/sso/ saml_reference_implementation.html

Google Apps

Making apps SSO ready Application Auth Plugin Start Logged in? Yes No Show Login Authenticate Site Form

Making apps SSO ready Application Auth Plugin Start Logged in? Yes No Show Login Site Form Authenticate

Making apps SSO ready Application Auth Plugin Start Logged in? No Yes Login Form Show Login Site Form Authenticate

Level 5 - Federation Dealing with multiple Identity Providers

Federation Identity Provider Identity Provider Service Authentication Provider Federation

Identity Confederation Authentication Provider Federation Identity Provider Identity Provider Service Authentication Provider Federation

Collaboration Infrastructures http://www.surfnet.nl/en/Thema/coin/Pages/Default.aspx

The Future

Conclusion What should you take away from this talk?

In your next project... You will NOT create more userids !! You WILL use standard protocols !!

Thank You ivo@egeniq.com http://www.egeniq.com @ijansch @egeniq Please leave feedback at: http://joind.in/2282

Credits Pictures used in this presentation are creative commons attribution licensed pictures. Here are the owners and the URLS where the originals can be found: ‘Multiple Padlock Farm Gate’ by Mike Baird - http://www.flickr.com/photos/mikebaird/2354116406/ ‘Love Locks’ by James Manners - http://www.flickr.com/photos/jmanners/443421045/ ‘Seguridad’ by Juan J. Martinez - http://www.flickr.com/photos/reidrac/4696900602/ ‘Hotel Keys by Henri Bergius - http://www.flickr.com/photos/bergie/3468886680/ ‘OAuth Shiny’ by Chris Messina - http://www.flickr.com/photos/factoryjoe/3343062926/ ‘Take a number please’ by Andres Rueda - http://www.flickr.com/photos/andresrueda/3259487071/ ’38/365 Puzzled’ by Mykl Roventine - http://www.flickr.com/photos/myklroventine/3261364899/ ‘Visiting Portage’ by Jeremy Bronson - http://www.flickr.com/photos/jbrons/4444017497/ ‘_dsc8037’ by Sergey Vladimirov - http://www.flickr.com/photos/vlsergey/4138735474/ Application logo’s and other icons have been used under the assumption that use of them in this context is considered fair use.

http://www.egeniq.com	1343
http://medresalabs.posterous.com	44
http://posterous.com	37
http://blog.jaffamonkey.com	27
http://jujo00obo2o234ungd3t8qjfcjrs3o6k-a-sites-opensocial.googleusercontent.com	18
http://www.planet-php.net	14
http://edit2day.blogspot.com	13
http://blog.fasoulas.com	6
http://www.phpeye.com	3
http://static.slidesharecdn.com	3
http://phpeye.com	2
http://tibi.vn	2
http://translate.googleusercontent.com	1
http://dev.tibi.vn	1
http://www.twylah.com	1
http://planet-php.org	1
http://www.planet-php.org	1
http://131.253.14.98	1

Building an SSO platform in php (Zendcon 2010)

by Ivo Jansch

Accessibility

Categories

Upload Details

Usage Rights

18 Embeds 1,518

Statistics

Building an SSO platform in php (Zendcon 2010) Presentation Transcript