• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Single sign-on
 

Single sign-on

on

  • 2,212 views

 

Statistics

Views

Total Views
2,212
Views on SlideShare
2,181
Embed Views
31

Actions

Likes
2
Downloads
26
Comments
0

2 Embeds 31

http://lanyrd.com 24
http://confluence 7

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Single sign-on Single sign-on Presentation Transcript

    • MAREK STĘPNIOWSKI @mstepniowski
    • SINGLE SIGN-ON
    • Platforma Redakcyjnaredakcja.wolnelektury.plRedmine - zarządzanie projektamiredmine.nowoczesnapolska.org.pl
    • Platforma Redakcyjnaredakcja.wolnelektury.plRedmine - zarządzanie projektamiredmine.nowoczesnapolska.org.plWolne Lekturywolnelektury.plWolne Podręcznikiwiki.wolnepodreczniki.plBlognowoczesnapolska.org.pl
    • • Kerberos• LDAP• Active Directory
    • “ We don’t need no stinkin’ protocols!
    • • CAS• OpenID• OAuth
    • CAS Jasig
    • redirect
    • Login: ________Pass: ________
    • Login: marekPass: ********
    • redirect(with token)
    • check token
    • yes nomarek
    • FEATURES• Centralized - all passwords are stored in one place• Subsequent logins can happen without user interaction• Easy to implement
    • GATEWAY AUTH(accessing public webpage)
    • GATEWAY AUTH redirect
    • GATEWAY AUTH redirect (with token)NoteWe don’t show the login form,even if the user is not logged in
    • GATEWAY AUTH check token
    • GATEWAY AUTH yes no marek
    • GATEWAY AUTHIf authentication was succesfulserve the modified page
    • JAVASCRIPT AUTH
    • SINGLE SIGN-OFF
    • SINGLE SIGN-OFFSign off
    • SINGLE SIGN-OFF But... It doesn’t scale! Facebook uses delayed single sign-off:• First cookie is long lived and keeps the user session• Second cookie required to perform API calls is short lived and needs to be refreshed using the first cookie• Signing off from Facebook deletes both cookies
    • CAS 2.0
    • <cas:serviceResponse xmlns:cas=http://www.yale.edu/tp/cas> <cas:authenticationSuccess> <cas:user>marek</cas:user> </cas:authenticationSuccess></cas:serviceResponse> Oh hai, XML!<cas:serviceResponse xmlns:cas=http://www.yale.edu/tp/cas> <cas:authenticationFailure code="INVALID_TICKET"> Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure></cas:serviceResponse>
    • <cas:serviceResponse xmlns:cas=http://www.yale.edu/tp/cas> <cas:authenticationSuccess> <cas:user>marek</cas:user> <cas:proxyGrantingTicket> PGTIOU-84678-8a9d... </cas:proxyGrantingTicket> </cas:authenticationSuccess></cas:serviceResponse> Oh hai, XML!<cas:serviceResponse xmlns:cas=http://www.yale.edu/tp/cas> <cas:authenticationFailure code="INVALID_TICKET"> Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure></cas:serviceResponse>
    • <cas:serviceResponse xmlns:cas=http://www.yale.edu/tp/cas> <cas:authenticationSuccess> <cas:user>marek</cas:user> <cas:proxyGrantingTicket> PGTIOU-84678-8a9d... </cas:proxyGrantingTicket> <fullName>Marek Stępniowski</fullName> <isAdmin>yes<isAdmin> </cas:authenticationSuccess></cas:serviceResponse> Oh hai, XML!<cas:serviceResponse xmlns:cas=http://www.yale.edu/tp/cas> <cas:authenticationFailure code="INVALID_TICKET"> Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure></cas:serviceResponse>
    • CAS 3.0
    • STUCK IN A LIMBO Adds attribute exchange(most clients implement it as an extension of 2.0)
    • • Django https://github.com/zuber/django-cas-provider https://github.com/zuber/django-cas-consumer• Python https://wiki.jasig.org/display/CASC/Pycas• Ruby http://code.google.com/p/rubycas-server/ http://code.google.com/p/rubycas-client/ +many more
    • The simplest single sign-on solution available• Django https://github.com/zuber/django-cas-provider https://github.com/zuber/django-cas-consumer• Python https://wiki.jasig.org/display/CASC/Pycas
    • OpenID: ________
    • OpenID: stepniowski.com
    • stepniowski.comredirect
    • stepniowski.comLogin: ________Pass: ________
    • stepniowski.comLogin: marekPass: ********
    • stepniowski.com redirect(with token)
    • stepniowski.comcheck token
    • stepniowski.comyes|no
    • stepniowski.com
    • FEATURESStrangely similar to CAS
    • FEATURES• Decentralized - you don’t need to store passwords at all• Single sign-on but not single sign-in• Hard to implement - delegation requires an HTML parser
    • openid.sregopenid.ax
    • 2.0
    • • Django https://github.com/omab/django-social-auth• Python https://github.com/openid/python-openid• Ruby https://github.com/openid/ruby-openid +many more
    • COMPARISON CAS OpenID• Centralized • Decentralized• Single sign-on and sign-in • Only single sign-on• Easy to implement • Hard to implement• Attribute exchange (CAS 3.0) • openid.sreg and openid.ax• Single sign-off • Single sign-off• Gateway authentication • Browser extensions
    • ASK FOR ITAnd I will create a separate presentation
    • MAREK STĘPNIOWSKI @mstepniowski
    • WE’RE HIRING!http://www.setjam.com/jobs/
    • DJANGOPIWOWarsaw SetJam HQWednesdayAugust 24th@mstepniowski@marcink^marcinkaszynski