Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SSO using CAS + two-factor authentication (PyGrunn 2014 talk)

6,828 views

Published on

Modern authentication techniques in Python web applications. PyGrunn talk by Artur Barseghyan. Year 2014.

Published in: Technology

SSO using CAS + two-factor authentication (PyGrunn 2014 talk)

  1. 1. Modern authentication techniques in Python web applications Artur Barseghyan Goldmund, Wyldebeast & Wunderliebe http://www.goldmund-wyldebeast-wunderliebe.nl/ artur.barseghyan@gmail.com https://github.com/barseghyanartur
  2. 2. Part 1 Single Sign-on using Central Authentication Service
  3. 3. A single framework/application User base Framework/application Authentication system Other importants parts not related to this talk
  4. 4. Typical framework/application authentication flow User requests content requiring authentication User gets the content requested Is user authenticated? Authenticate user User provides credentials (login page) Are credentials correct? Yes No Yes No
  5. 5. Multiple web frameworks/applications User base 1 Framework/application 1 Authentication system 1 Other importants parts not related to this talk User base 2 Framework/application 2 Authentication system 2 Other importants parts not related to this talk User base N Framework/application N Authentication system N Other importants parts not related to this talk ... Web portal (ex. DMS, intranet, wiki, etc.)
  6. 6. Without Single Sign-on... ● Use a single framework/application and write lots of apps OR ● Use multiple frameworks/applications and: ○ Hack their authentication systems OR ○ Expect users to login into each of them OR ○ Make them communicate via customly built API ● More (bad) ideas?
  7. 7. With Single Sign-on... ● User logs in once and gains access to all systems without being prompted to log in again.
  8. 8. (JaSig) CAS Enterprise Single Sign-on solution ● Open source ● Well documented ● Scalable ● Modular and highly pluggable (MySQL, PostgreSQL, Oracle, LDAP, SPINEGO, RADIUS, etc.) ● Lots of ready-to-use clients and plugins
  9. 9. (JaSig) CAS CAS involves at least three parties: ● A client web browser ● Web application requesting authentication ● The CAS server It also optionally may involve: ● Back-end service, such as a database server
  10. 10. CAS authentication flow
  11. 11. CAS authentication schema User requests content which requires authentication User is asked to provide credentials (login page) Create SSO token and redirect User gets the content requested No Yes No Yes Is user authenticated into app? No Yes Authenticate user (CAS) CAS server Authenticate user (locally) Are credentials correct? Is user authenticated into CAS? CAS client (web application)
  12. 12. Pros of CAS Pros ● Centralised authentication for all frameworks/applications. ● Actively maintained and developed. Large community. ● Modular and highly pluggable (MySQL, PostgreSQL, Oracle, Active Directory, LDAP, SPINEGO, RADIUS, etc.). ● Lots of ready-to-use packages for many frameworks/applications. ● Less passwords to retype, remember and recover. ● More of your own code is reusable. ● Happier end-users. ● REST API.
  13. 13. Cons of CAS Cons ● SSO availability becomes critical. ● SSO security becomes critical.
  14. 14. Our use case Dashboard app ● Django Server A CAS server Server C User base ● Active Directory Server D VPN ● Apache ● Tomcat ● Debian ● Java ● CAS ● OpenVPN ● AJP ● Python ● Django ● Plone More to come Server X DMS ● Plone Server B
  15. 15. Conclusion
  16. 16. CAS alternatives 1 / n JOSSO http://www.josso.org OpenAM (formerly known as OpenSSO) http://openam.forgerock.org Pubcookie http://www.pubcookie.org CoSign http://weblogin.org
  17. 17. Linkodrome 1 / n Software packages JaSig CAS http://www.jasig.org/cas Django CAS client https://github.com/Goldmund-Wyldebeast-Wunderliebe/django-cas-consumer Plone CAS client https://github.com/collective/anz.casclient Detailed installation instructions http://bit.ly/1uuk2BS
  18. 18. Part 2 Two-step verification (Two-factor authentication)
  19. 19. Standard authentication flow User requests content requiring authentication User gets the content requested Is user authenticated? Authenticate user User provides credentials (login page) Are credentials correct? Yes Yes No No
  20. 20. ● Knowledge factor ("something only the user knows"): a password or a PIN. ● Possession factor ("something only the user has"): ATM card, smart card, mobile phone. ● Inherence factor ("something only the user is"): Fingerprint or voiceprint. Standard authentication factors
  21. 21. Common advises on remembering many passwords ● Use complex passwords and have them saved in password managers. ● Use complex passwords, write them on paper and carry them in your wallet. Passwords aren’t enough!
  22. 22. Two-factor authentication ● Knowledge factor ("something only the user knows"): a password or a PIN. ● Possession factor ("something only the user has"): ATM card, smart card, mobile phone. ● Inherence factor ("something only the user is"): Fingerprint or voiceprint.
  23. 23. Standard authentication flow User requests content requiring authentication User provides credentials No Yes Is user authenticated ? Authenticate user Yes No Are credentials correct? User gets the content requested
  24. 24. Two-factor authentication flow User requests content requiring authentication User provides credentials No Yes User provides second factor token Is token correct ? Yes No Second factor Is user authenticated ? Authenticate user Yes No Are credentials correct? User gets the content requested
  25. 25. (Common) solutions ● SMS authentication ● Google Authenticator (mobile app) ● Hardware token generators
  26. 26. Google Authenticator
  27. 27. Hardware token generators
  28. 28. Our use cases ● collective.googleauthenticator (uses Google Authenticator app) ● collective.smsauthenticator (login codes sent by SMS)
  29. 29. collective.googleauthenticator
  30. 30. Setup two-step verification
  31. 31. Authenticate
  32. 32. Verify
  33. 33. Conclusion
  34. 34. Alternatives ● Risk-based authentication (based on behavioral biometrics, keystroke dynamics, etc.) ● Strong authentication ● Reliance authentication
  35. 35. Linkodrome Plone ● collective.googleauthenticator (two-factor authentication using Google Authenticator app) https://pypi.python.org/pypi/collective.googleauthenticator ● collective.smsauthenticator (two-factor authentication using login codes sent by SMS) https://pypi.python.org/pypi/collective.smsauthenticator Django ● django-two-factor-auth (two-factor authentication using Google Authenticator or login codes sent by SMS) https://pypi.python.org/pypi/django-two-factor-auth ● django-otp (pluggable framework for adding two-factor authentication using OTP.) https://pypi.python.org/pypi/django-otp
  36. 36. Questions?
  37. 37. Thank you! Artur Barseghyan Goldmund, Wyldebeast & Wunderliebe artur.barseghyan@gmail.com https://github.com/barseghyanartur

×