Single sign-on

2,517 views
2,383 views

Published on

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,517
On SlideShare
0
From Embeds
0
Number of Embeds
36
Actions
Shares
0
Downloads
41
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Single sign-on

  1. 1. MAREK STĘPNIOWSKI @mstepniowski
  2. 2. SINGLE SIGN-ON
  3. 3. Platforma Redakcyjnaredakcja.wolnelektury.plRedmine - zarządzanie projektamiredmine.nowoczesnapolska.org.pl
  4. 4. Platforma Redakcyjnaredakcja.wolnelektury.plRedmine - zarządzanie projektamiredmine.nowoczesnapolska.org.plWolne Lekturywolnelektury.plWolne Podręcznikiwiki.wolnepodreczniki.plBlognowoczesnapolska.org.pl
  5. 5. • Kerberos• LDAP• Active Directory
  6. 6. “ We don’t need no stinkin’ protocols!
  7. 7. • CAS• OpenID• OAuth
  8. 8. CAS Jasig
  9. 9. redirect
  10. 10. Login: ________Pass: ________
  11. 11. Login: marekPass: ********
  12. 12. redirect(with token)
  13. 13. check token
  14. 14. yes nomarek
  15. 15. FEATURES• Centralized - all passwords are stored in one place• Subsequent logins can happen without user interaction• Easy to implement
  16. 16. GATEWAY AUTH(accessing public webpage)
  17. 17. GATEWAY AUTH redirect
  18. 18. GATEWAY AUTH redirect (with token)NoteWe don’t show the login form,even if the user is not logged in
  19. 19. GATEWAY AUTH check token
  20. 20. GATEWAY AUTH yes no marek
  21. 21. GATEWAY AUTHIf authentication was succesfulserve the modified page
  22. 22. JAVASCRIPT AUTH
  23. 23. SINGLE SIGN-OFF
  24. 24. SINGLE SIGN-OFFSign off
  25. 25. SINGLE SIGN-OFF But... It doesn’t scale! Facebook uses delayed single sign-off:• First cookie is long lived and keeps the user session• Second cookie required to perform API calls is short lived and needs to be refreshed using the first cookie• Signing off from Facebook deletes both cookies
  26. 26. CAS 2.0
  27. 27. <cas:serviceResponse xmlns:cas=http://www.yale.edu/tp/cas> <cas:authenticationSuccess> <cas:user>marek</cas:user> </cas:authenticationSuccess></cas:serviceResponse> Oh hai, XML!<cas:serviceResponse xmlns:cas=http://www.yale.edu/tp/cas> <cas:authenticationFailure code="INVALID_TICKET"> Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure></cas:serviceResponse>
  28. 28. <cas:serviceResponse xmlns:cas=http://www.yale.edu/tp/cas> <cas:authenticationSuccess> <cas:user>marek</cas:user> <cas:proxyGrantingTicket> PGTIOU-84678-8a9d... </cas:proxyGrantingTicket> </cas:authenticationSuccess></cas:serviceResponse> Oh hai, XML!<cas:serviceResponse xmlns:cas=http://www.yale.edu/tp/cas> <cas:authenticationFailure code="INVALID_TICKET"> Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure></cas:serviceResponse>
  29. 29. <cas:serviceResponse xmlns:cas=http://www.yale.edu/tp/cas> <cas:authenticationSuccess> <cas:user>marek</cas:user> <cas:proxyGrantingTicket> PGTIOU-84678-8a9d... </cas:proxyGrantingTicket> <fullName>Marek Stępniowski</fullName> <isAdmin>yes<isAdmin> </cas:authenticationSuccess></cas:serviceResponse> Oh hai, XML!<cas:serviceResponse xmlns:cas=http://www.yale.edu/tp/cas> <cas:authenticationFailure code="INVALID_TICKET"> Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure></cas:serviceResponse>
  30. 30. CAS 3.0
  31. 31. STUCK IN A LIMBO Adds attribute exchange(most clients implement it as an extension of 2.0)
  32. 32. • Django https://github.com/zuber/django-cas-provider https://github.com/zuber/django-cas-consumer• Python https://wiki.jasig.org/display/CASC/Pycas• Ruby http://code.google.com/p/rubycas-server/ http://code.google.com/p/rubycas-client/ +many more
  33. 33. The simplest single sign-on solution available• Django https://github.com/zuber/django-cas-provider https://github.com/zuber/django-cas-consumer• Python https://wiki.jasig.org/display/CASC/Pycas
  34. 34. OpenID: ________
  35. 35. OpenID: stepniowski.com
  36. 36. stepniowski.comredirect
  37. 37. stepniowski.comLogin: ________Pass: ________
  38. 38. stepniowski.comLogin: marekPass: ********
  39. 39. stepniowski.com redirect(with token)
  40. 40. stepniowski.comcheck token
  41. 41. stepniowski.comyes|no
  42. 42. stepniowski.com
  43. 43. FEATURESStrangely similar to CAS
  44. 44. FEATURES• Decentralized - you don’t need to store passwords at all• Single sign-on but not single sign-in• Hard to implement - delegation requires an HTML parser
  45. 45. openid.sregopenid.ax
  46. 46. 2.0
  47. 47. • Django https://github.com/omab/django-social-auth• Python https://github.com/openid/python-openid• Ruby https://github.com/openid/ruby-openid +many more
  48. 48. COMPARISON CAS OpenID• Centralized • Decentralized• Single sign-on and sign-in • Only single sign-on• Easy to implement • Hard to implement• Attribute exchange (CAS 3.0) • openid.sreg and openid.ax• Single sign-off • Single sign-off• Gateway authentication • Browser extensions
  49. 49. ASK FOR ITAnd I will create a separate presentation
  50. 50. MAREK STĘPNIOWSKI @mstepniowski
  51. 51. WE’RE HIRING!http://www.setjam.com/jobs/
  52. 52. DJANGOPIWOWarsaw SetJam HQWednesdayAugust 24th@mstepniowski@marcink^marcinkaszynski

×