Building an SSO platform
Ivo Jansch - Egeniq
November 4, 2010 - Zendcon
About Egeniq
Startup
Mobile
Tech
Knowledge
Geeks
Development
About Me
@ijansch
Developer
Author
Entreprenerd
PHP
Single Sign On
Why do we need it?
We use many applications
Your other
corporate
application
Your
corporate
application
Across devices and locations
Your other
corporate
application
Your
corporate
application
A quick poll
Level 0 - One Password
To Rule Them All
1 password to rule them all
Your other
corporate
application
Your
corporate
application
Level 1 - Shared Identity
Using a single authentication backend for apps
Shared Identity
Your other
corporate
application
Your
corporate
application
LDAP
Server
Level 2 - OpenID
Using OpenID for external Identity Management
OpenID Flow
OpenID
Consumer
OpenID
Provider
OpenID
Consumer
OpenID Demo
OpenID
Provider
index.php
login.php
consume
.php
Protecting the secret
Delegate to OpenID provider
Consume the response
Caveats
OpenID providers hesitant to be OpenID consumers
No trust establishment between consumer and
provider
Level 3 - OAuth
Using OAuth for external IDM and authorization
OAuth Flow
OAuth
Consumer
OAuth
Provider
Landing adjusted for OAuth
OAuth Configuration
Delegate auth to Twitter
Consuming the response
Level 4 - SAML
Creating our own Identity Provider
SAML
Security Assertion Markup Language
XML standard by OASIS
Assertions contain:
Proof of Identity
Attributes
Supports XM...
SAML Flow
Service
Provider
Identity
Provider
Auth
Backend
(LDAP, ...)
SimpleSAMLphp
Service
Provider
Identity Provider
SimpleSAMLPHP
Simple
SAML
PHP
Auth
Backend
(LDAP, ...)
IDP SimpleSAMLphp setup
IDP Auth Source Configuration
IDP Hosted Configuration
IDP Remote Configuration
IDP Virtual Host Apache Config
Testing the IDP
SP SimpleSAMLphp setup
SP Auth Source Configuration
SP Remote Configuration
Back to our landing page
Delegate auth to the IDP
Integrating 3d party apps
Simplesamlphp is easy to integrate
Wordpress
Plugin:
http://wordpress.org/extend/plugins/simplesamlphp-authentication/
MediaWiki
Plugin:
http://www.mediawiki.org/wiki/Extension:SAMLAuth
SugarCRM
Plugin: didn’t work
Problem: auth structure
Solution: hacking the source
Options:
Contact me if you need to get S...
Google Apps
Requires Premier or Education Edition
Configure SAML endpoint => Done!
Docs:
http://code.google.com/googleapps/...
Google Apps
Making apps SSO ready
Application
Logged
in?
Auth Plugin
Yes
Show
Site
Login
Form
Authenticate
Start
No
Making apps SSO ready
Application
Logged
in?
Auth Plugin
Yes
Show
Site
Login
Form
Authenticate
Start
No
Making apps SSO ready
Application
Logged
in?
Auth Plugin
Yes
Show
Site
Login
Form
Authenticate
Start
No
Making apps SSO ready
Application
Logged
in?
Auth Plugin
Authenticate
Start
No
Login
Form
Show
Site
Login
Form
Yes
Level 5 - Federation
Dealing with multiple Identity Providers
Federation
Service
Provider
Authentication
Federation
Identity
Provider
Identity
Provider
Confederation
Service
Provider
Authentication
Federation
Identity
Provider
Identity
Provider
Authentication
Federation
Ide...
Collaboration Infrastructures
http://www.surfnet.nl/en/Thema/coin/Pages/Default.aspx
The Future
The Future
Conclusion
What should you take away from this talk?
In your next project...
You will NOT create more userids !!
You WILL use standard protocols !!
Thank You
ivo@egeniq.com http://www.egeniq.com
@ijansch @egeniq
Please leave feedback at: http://joind.in/2282
Credits
Pictures used in this presentation are creative commons attribution licensed pictures.
Here are the owners and the...
Upcoming SlideShare
Loading in...5
×

Building an SSO platform in php (Zendcon 2010)

19,192

Published on

A presentation explaining how to build Single Sign On functionality in PHP using standards such as OpenID, OAuth and SAML. Delivered on November 4, 2010 at Zendcon in Santa Clara

Published in: Technology
1 Comment
24 Likes
Statistics
Notes
  • Single Sign-On is HARD to get right, which is why there are relatively few packaged solutions out there. Presentations like this one are just confusing. So I came up with a solution:

    http://barebonescms.com/documentation/sso/

    Basically, follow the directions to install the server. Then follow the directions to install the client a couple of times. Then hook one client up to the server to secure it. Then hook the other client up to your application. Done. And it only takes a few hours of work without the nitty-gritty of trying to figure out the terminology used in this presentation. It takes far less time to set up than coding the average login system.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
19,192
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
492
Comments
1
Likes
24
Embeds 0
No embeds

No notes for slide

Transcript of "Building an SSO platform in php (Zendcon 2010)"

  1. 1. Building an SSO platform Ivo Jansch - Egeniq November 4, 2010 - Zendcon
  2. 2. About Egeniq Startup Mobile Tech Knowledge Geeks Development
  3. 3. About Me @ijansch Developer Author Entreprenerd PHP
  4. 4. Single Sign On Why do we need it?
  5. 5. We use many applications Your other corporate application Your corporate application
  6. 6. Across devices and locations Your other corporate application Your corporate application
  7. 7. A quick poll
  8. 8. Level 0 - One Password To Rule Them All
  9. 9. 1 password to rule them all Your other corporate application Your corporate application
  10. 10. Level 1 - Shared Identity Using a single authentication backend for apps
  11. 11. Shared Identity Your other corporate application Your corporate application LDAP Server
  12. 12. Level 2 - OpenID Using OpenID for external Identity Management
  13. 13. OpenID Flow OpenID Consumer OpenID Provider
  14. 14. OpenID Consumer OpenID Demo OpenID Provider index.php login.php consume .php
  15. 15. Protecting the secret
  16. 16. Delegate to OpenID provider
  17. 17. Consume the response
  18. 18. Caveats OpenID providers hesitant to be OpenID consumers No trust establishment between consumer and provider
  19. 19. Level 3 - OAuth Using OAuth for external IDM and authorization
  20. 20. OAuth Flow OAuth Consumer OAuth Provider
  21. 21. Landing adjusted for OAuth
  22. 22. OAuth Configuration
  23. 23. Delegate auth to Twitter
  24. 24. Consuming the response
  25. 25. Level 4 - SAML Creating our own Identity Provider
  26. 26. SAML Security Assertion Markup Language XML standard by OASIS Assertions contain: Proof of Identity Attributes Supports XML signatures and encryption
  27. 27. SAML Flow Service Provider Identity Provider Auth Backend (LDAP, ...)
  28. 28. SimpleSAMLphp Service Provider Identity Provider SimpleSAMLPHP Simple SAML PHP Auth Backend (LDAP, ...)
  29. 29. IDP SimpleSAMLphp setup
  30. 30. IDP Auth Source Configuration
  31. 31. IDP Hosted Configuration
  32. 32. IDP Remote Configuration
  33. 33. IDP Virtual Host Apache Config
  34. 34. Testing the IDP
  35. 35. SP SimpleSAMLphp setup
  36. 36. SP Auth Source Configuration
  37. 37. SP Remote Configuration
  38. 38. Back to our landing page
  39. 39. Delegate auth to the IDP
  40. 40. Integrating 3d party apps Simplesamlphp is easy to integrate
  41. 41. Wordpress Plugin: http://wordpress.org/extend/plugins/simplesamlphp-authentication/
  42. 42. MediaWiki Plugin: http://www.mediawiki.org/wiki/Extension:SAMLAuth
  43. 43. SugarCRM Plugin: didn’t work Problem: auth structure Solution: hacking the source Options: Contact me if you need to get SugarCRM to do SSO :-) Wait for SugarCRM 6.1, it contains a working SAML plugin (/via @smalyshev)
  44. 44. Google Apps Requires Premier or Education Edition Configure SAML endpoint => Done! Docs: http://code.google.com/googleapps/domain/sso/ saml_reference_implementation.html
  45. 45. Google Apps
  46. 46. Making apps SSO ready Application Logged in? Auth Plugin Yes Show Site Login Form Authenticate Start No
  47. 47. Making apps SSO ready Application Logged in? Auth Plugin Yes Show Site Login Form Authenticate Start No
  48. 48. Making apps SSO ready Application Logged in? Auth Plugin Yes Show Site Login Form Authenticate Start No
  49. 49. Making apps SSO ready Application Logged in? Auth Plugin Authenticate Start No Login Form Show Site Login Form Yes
  50. 50. Level 5 - Federation Dealing with multiple Identity Providers
  51. 51. Federation Service Provider Authentication Federation Identity Provider Identity Provider
  52. 52. Confederation Service Provider Authentication Federation Identity Provider Identity Provider Authentication Federation Identity Provider
  53. 53. Collaboration Infrastructures http://www.surfnet.nl/en/Thema/coin/Pages/Default.aspx
  54. 54. The Future
  55. 55. The Future
  56. 56. Conclusion What should you take away from this talk?
  57. 57. In your next project... You will NOT create more userids !! You WILL use standard protocols !!
  58. 58. Thank You ivo@egeniq.com http://www.egeniq.com @ijansch @egeniq Please leave feedback at: http://joind.in/2282
  59. 59. Credits Pictures used in this presentation are creative commons attribution licensed pictures. Here are the owners and the URLS where the originals can be found: ‘Multiple Padlock Farm Gate’ by Mike Baird - http://www.flickr.com/photos/mikebaird/2354116406/ ‘Love Locks’ by James Manners - http://www.flickr.com/photos/jmanners/443421045/ ‘Seguridad’ by Juan J. Martinez - http://www.flickr.com/photos/reidrac/4696900602/ ‘Hotel Keys by Henri Bergius - http://www.flickr.com/photos/bergie/3468886680/ ‘OAuth Shiny’ by Chris Messina - http://www.flickr.com/photos/factoryjoe/3343062926/ ‘Take a number please’ by Andres Rueda - http://www.flickr.com/photos/andresrueda/3259487071/ ’38/365 Puzzled’ by Mykl Roventine - http://www.flickr.com/photos/myklroventine/3261364899/ ‘Visiting Portage’ by Jeremy Bronson - http://www.flickr.com/photos/jbrons/4444017497/ ‘_dsc8037’ by Sergey Vladimirov - http://www.flickr.com/photos/vlsergey/4138735474/ Application logo’s and other icons have been used under the assumption that use of them in this context is considered fair use.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×