SSO using CAS + two-factor authentication (PyGrunn 2014 talk)

Artur Barseghyan
Artur Barseghyan
Modern authentication techniques in Python web applications Artur Barseghyan Goldmund, Wyldebeast & Wunderliebe http://www.goldmund-wyldebeast-wunderliebe.nl/ artur.barseghyan@gmail.com https://github.com/barseghyanartur
Part 1 Single Sign-on using Central Authentication Service
A single framework/application User base Framework/application Authentication system Other importants parts not related to this talk
Typical framework/application authentication flow User requests content requiring authentication User gets the content requested Is user authenticated? Authenticate user User provides credentials (login page) Are credentials correct? Yes No Yes No
Multiple web frameworks/applications User base 1 Framework/application 1 Authentication system 1 Other importants parts not related to this talk User base 2 Framework/application 2 Authentication system 2 Other importants parts not related to this talk User base N Framework/application N Authentication system N Other importants parts not related to this talk ... Web portal (ex. DMS, intranet, wiki, etc.)
Without Single Sign-on... ● Use a single framework/application and write lots of apps OR ● Use multiple frameworks/applications and: ○ Hack their authentication systems OR ○ Expect users to login into each of them OR ○ Make them communicate via customly built API ● More (bad) ideas?
With Single Sign-on... ● User logs in once and gains access to all systems without being prompted to log in again.
(JaSig) CAS Enterprise Single Sign-on solution ● Open source ● Well documented ● Scalable ● Modular and highly pluggable (MySQL, PostgreSQL, Oracle, LDAP, SPINEGO, RADIUS, etc.) ● Lots of ready-to-use clients and plugins
(JaSig) CAS CAS involves at least three parties: ● A client web browser ● Web application requesting authentication ● The CAS server It also optionally may involve: ● Back-end service, such as a database server
CAS authentication flow
CAS authentication schema User requests content which requires authentication User is asked to provide credentials (login page) Create SSO token and redirect User gets the content requested No Yes No Yes Is user authenticated into app? No Yes Authenticate user (CAS) CAS server Authenticate user (locally) Are credentials correct? Is user authenticated into CAS? CAS client (web application)
Pros of CAS Pros ● Centralised authentication for all frameworks/applications. ● Actively maintained and developed. Large community. ● Modular and highly pluggable (MySQL, PostgreSQL, Oracle, Active Directory, LDAP, SPINEGO, RADIUS, etc.). ● Lots of ready-to-use packages for many frameworks/applications. ● Less passwords to retype, remember and recover. ● More of your own code is reusable. ● Happier end-users. ● REST API.
Cons of CAS Cons ● SSO availability becomes critical. ● SSO security becomes critical.
Our use case Dashboard app ● Django Server A CAS server Server C User base ● Active Directory Server D VPN ● Apache ● Tomcat ● Debian ● Java ● CAS ● OpenVPN ● AJP ● Python ● Django ● Plone More to come Server X DMS ● Plone Server B
Conclusion
CAS alternatives 1 / n JOSSO http://www.josso.org OpenAM (formerly known as OpenSSO) http://openam.forgerock.org Pubcookie http://www.pubcookie.org CoSign http://weblogin.org
Linkodrome 1 / n Software packages JaSig CAS http://www.jasig.org/cas Django CAS client https://github.com/Goldmund-Wyldebeast-Wunderliebe/django-cas-consumer Plone CAS client https://github.com/collective/anz.casclient Detailed installation instructions http://bit.ly/1uuk2BS
Part 2 Two-step verification (Two-factor authentication)
Standard authentication flow User requests content requiring authentication User gets the content requested Is user authenticated? Authenticate user User provides credentials (login page) Are credentials correct? Yes Yes No No
● Knowledge factor ("something only the user knows"): a password or a PIN. ● Possession factor ("something only the user has"): ATM card, smart card, mobile phone. ● Inherence factor ("something only the user is"): Fingerprint or voiceprint. Standard authentication factors
Common advises on remembering many passwords ● Use complex passwords and have them saved in password managers. ● Use complex passwords, write them on paper and carry them in your wallet. Passwords aren’t enough!
Two-factor authentication ● Knowledge factor ("something only the user knows"): a password or a PIN. ● Possession factor ("something only the user has"): ATM card, smart card, mobile phone. ● Inherence factor ("something only the user is"): Fingerprint or voiceprint.
Standard authentication flow User requests content requiring authentication User provides credentials No Yes Is user authenticated ? Authenticate user Yes No Are credentials correct? User gets the content requested
Two-factor authentication flow User requests content requiring authentication User provides credentials No Yes User provides second factor token Is token correct ? Yes No Second factor Is user authenticated ? Authenticate user Yes No Are credentials correct? User gets the content requested
(Common) solutions ● SMS authentication ● Google Authenticator (mobile app) ● Hardware token generators
Google Authenticator
Hardware token generators
Our use cases ● collective.googleauthenticator (uses Google Authenticator app) ● collective.smsauthenticator (login codes sent by SMS)
collective.googleauthenticator
Setup two-step verification
Authenticate
Verify
Conclusion
Alternatives ● Risk-based authentication (based on behavioral biometrics, keystroke dynamics, etc.) ● Strong authentication ● Reliance authentication
Linkodrome Plone ● collective.googleauthenticator (two-factor authentication using Google Authenticator app) https://pypi.python.org/pypi/collective.googleauthenticator ● collective.smsauthenticator (two-factor authentication using login codes sent by SMS) https://pypi.python.org/pypi/collective.smsauthenticator Django ● django-two-factor-auth (two-factor authentication using Google Authenticator or login codes sent by SMS) https://pypi.python.org/pypi/django-two-factor-auth ● django-otp (pluggable framework for adding two-factor authentication using OTP.) https://pypi.python.org/pypi/django-otp
Questions?
Thank you! Artur Barseghyan Goldmund, Wyldebeast & Wunderliebe artur.barseghyan@gmail.com https://github.com/barseghyanartur
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
1 of 38

SSO using CAS + two-factor authentication (PyGrunn 2014 talk)

Download to read offline
Technology

Modern authentication techniques in Python web applications. PyGrunn talk by Artur Barseghyan. Year 2014.

Artur Barseghyan
Artur Barseghyan

Recommended

CAS Enhancement by
CAS EnhancementCAS Enhancement
CAS EnhancementGuo Albert
1.6K views42 slides
Jasig Central Authentication Service in Ten Minutes by
Jasig Central Authentication Service in Ten MinutesJasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesAndrew Petro
4.8K views21 slides
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On by
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-Onelliando dias
4.9K views48 slides
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on by
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onCraig Dickson
48.4K views47 slides
Authentication and Single Sing on by
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing onguest648519
20.8K views39 slides
Identity Management Overview: CAS and Shibboleth by
Identity Management Overview: CAS and ShibbolethIdentity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethAndrew Petro
10.1K views35 slides

More Related Content

What's hot

Single Sign On - The Basics by
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The BasicsIshan A B Ambanwela
3.4K views16 slides
SSO IN/With Drupal and Identitiy Management by
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementManish Harsh
8.1K views37 slides
Web Single sign on system by
Web Single sign on systemWeb Single sign on system
Web Single sign on systemSwati Sinha
462 views18 slides
Single sign on (SSO) How does your company apply? by
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Đỗ Duy Trung
5.8K views28 slides
SSO introduction by
SSO introductionSSO introduction
SSO introductionAidy Tificate
8.5K views20 slides
Java EE Application Security With PicketLink by
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
7K views27 slides

What's hot(20)

Single Sign On - The Basics by Ishan A B Ambanwela
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The Basics
Ishan A B Ambanwela3.4K views
SSO IN/With Drupal and Identitiy Management by Manish Harsh
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy Management
Manish Harsh8.1K views
Web Single sign on system by Swati Sinha
Web Single sign on systemWeb Single sign on system
Web Single sign on system
Swati Sinha462 views
Single sign on (SSO) How does your company apply? by Đỗ Duy Trung
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?
Đỗ Duy Trung5.8K views
SSO introduction by Aidy Tificate
SSO introductionSSO introduction
SSO introduction
Aidy Tificate8.5K views
Java EE Application Security With PicketLink by pigorcraveiro
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
pigorcraveiro7K views
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6 by Kenneth Peeples
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples3.5K views
Saml vs Oauth : Which one should I use? by Anil Saldanha
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
Anil Saldanha22.1K views
Single sign on - benefits, challenges and case study : iFour consultancy by Devam Shah
Single sign on - benefits, challenges and case study : iFour consultancySingle sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancy
Devam Shah2K views
Single sign on by guest64ab8e
Single sign onSingle sign on
Single sign on
guest64ab8e333 views
Single Sign On 101 by Mike Schwartz
Single Sign On 101Single Sign On 101
Single Sign On 101
Mike Schwartz17.2K views
SSO Strategy Implementation Considerations by John Bauer
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
John Bauer4.6K views
Single Sign On Considerations by Venkat Gattamaneni
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On Considerations
Venkat Gattamaneni1.4K views
Presentation sso design_security by Marco Morana
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
Marco Morana9.5K views
IdP, SAML, OAuth by Dan Brinkmann
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
Dan Brinkmann14.2K views
ASP.NET Web Security by SharePointRadi
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
SharePointRadi2.2K views
Single Sign On - Case Study by Ebizon
Single Sign On - Case StudySingle Sign On - Case Study
Single Sign On - Case Study
Ebizon2.9K views
Enterprise Single Sign-On - SSO by Oliver Mueller
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSO
Oliver Mueller11K views
Authentication and Authorization in Asp.Net by Shivanand Arur
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
Shivanand Arur12.7K views
Single sign on using SAML by Programming Talents
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
Programming Talents2.2K views

Viewers also liked

Two factor authentication presentation mcit by
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcitmmubashirkhan
11.2K views23 slides
Data-driven Security: Protect APIs from Adaptive Threats by
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsApigee | Google Cloud
833 views11 slides
Web Sign-On with CAS by
Web Sign-On with CASWeb Sign-On with CAS
Web Sign-On with CASamiable_indian
2.1K views52 slides
Authentication with zend framework by
Authentication with zend frameworkAuthentication with zend framework
Authentication with zend frameworkGeorge Mihailov
2.9K views38 slides
Central Authentication Service (CAS) SSO for EMC Documentum Rest Services by
Central Authentication Service (CAS) SSO for EMC Documentum Rest ServicesCentral Authentication Service (CAS) SSO for EMC Documentum Rest Services
Central Authentication Service (CAS) SSO for EMC Documentum Rest ServicesEMC
4.5K views70 slides
Strong Authentication in Web Applications: State of the Art 2011 by
Strong Authentication in Web Applications: State of the Art 2011Strong Authentication in Web Applications: State of the Art 2011
Strong Authentication in Web Applications: State of the Art 2011Sylvain Maret
2.1K views80 slides

Viewers also liked(20)

Two factor authentication presentation mcit by mmubashirkhan
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcit
mmubashirkhan11.2K views
Data-driven Security: Protect APIs from Adaptive Threats by Apigee | Google Cloud
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive Threats
Apigee | Google Cloud833 views
Web Sign-On with CAS by amiable_indian
Web Sign-On with CASWeb Sign-On with CAS
Web Sign-On with CAS
amiable_indian2.1K views
Authentication with zend framework by George Mihailov
Authentication with zend frameworkAuthentication with zend framework
Authentication with zend framework
George Mihailov2.9K views
Central Authentication Service (CAS) SSO for EMC Documentum Rest Services by EMC
Central Authentication Service (CAS) SSO for EMC Documentum Rest ServicesCentral Authentication Service (CAS) SSO for EMC Documentum Rest Services
Central Authentication Service (CAS) SSO for EMC Documentum Rest Services
EMC4.5K views
Strong Authentication in Web Applications: State of the Art 2011 by Sylvain Maret
Strong Authentication in Web Applications: State of the Art 2011Strong Authentication in Web Applications: State of the Art 2011
Strong Authentication in Web Applications: State of the Art 2011
Sylvain Maret2.1K views
3 reasons your business can't ignore Two-Factor Authentication by Fortytwo
3 reasons your business can't ignore Two-Factor Authentication3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication
Fortytwo 434 views
Google Authenticator, possible attacks and prevention by Boštjan Cigan
Google Authenticator, possible attacks and preventionGoogle Authenticator, possible attacks and prevention
Google Authenticator, possible attacks and prevention
Boštjan Cigan10.7K views
"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre... by Yandex
"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre..."2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre...
"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre...
Yandex2.9K views
2013.devcon3 liferay and google authenticator integration rafik_harabi by Rafik HARABI
2013.devcon3 liferay and google authenticator integration rafik_harabi2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi
Rafik HARABI1K views
Two factor authentication-in_your_network_e_guide by Nick Owen
Two factor authentication-in_your_network_e_guideTwo factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guide
Nick Owen1.8K views
Two Factor Authentication and You by Chris Stone
Two Factor Authentication and YouTwo Factor Authentication and You
Two Factor Authentication and You
Chris Stone1.1K views
Seminar-Two Factor Authentication by Dilip Kr. Jangir
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
Dilip Kr. Jangir6.6K views
Simple Two Factor Authentication by John Congdon
Simple Two Factor AuthenticationSimple Two Factor Authentication
Simple Two Factor Authentication
John Congdon4.2K views
Securing Your Salesforce Deployment with Two Factor Authentication by Salesforce Developers
Securing Your Salesforce Deployment with Two Factor AuthenticationSecuring Your Salesforce Deployment with Two Factor Authentication
Securing Your Salesforce Deployment with Two Factor Authentication
Salesforce Developers1.2K views
Two-factor Authentication by PortalGuard dba PistolStar, Inc.
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
PortalGuard dba PistolStar, Inc.3.7K views
2 factor authentication 3 [compatibility mode] by Hai Nguyen
2 factor authentication 3 [compatibility mode]2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]
Hai Nguyen1.2K views
Combat the Latest Two-Factor Authentication Evasion Techniques by IBM Security
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion Techniques
IBM Security1.5K views
Two Factor Authentication: Easy Setup, Major Impact by Salesforce Admins
Two Factor Authentication: Easy Setup, Major ImpactTwo Factor Authentication: Easy Setup, Major Impact
Two Factor Authentication: Easy Setup, Major Impact
Salesforce Admins1K views
Plex Systems EECS 441 Company Presentation by johntyu
Plex Systems EECS 441 Company PresentationPlex Systems EECS 441 Company Presentation
Plex Systems EECS 441 Company Presentation
johntyu1.2K views

Similar to SSO using CAS + two-factor authentication (PyGrunn 2014 talk)

Two-factor Authentication by
Two-factor AuthenticationTwo-factor Authentication
Two-factor AuthenticationPortalGuard dba PistolStar, Inc.
1.3K views32 slides
Authentication without Authentication - AppSec California by
Authentication without Authentication - AppSec CaliforniaAuthentication without Authentication - AppSec California
Authentication without Authentication - AppSec CaliforniaSoluto
462 views66 slides
How to build Simple yet powerful API.pptx by
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxChanna Ly
10 views46 slides
W01 Levent Gurses X by
W01 Levent Gurses XW01 Levent Gurses X
W01 Levent Gurses XMovel
281 views24 slides
Usability vs. Security: Find the Right Balance in Mobile Apps by
Usability vs. Security: Find the Right Balance in Mobile AppsUsability vs. Security: Find the Right Balance in Mobile Apps
Usability vs. Security: Find the Right Balance in Mobile AppsJosiah Renaudin
1.2K views24 slides
validation of user credentials in social network by using Django backend aut... by
validation of user credentials in social network by using Django backend aut...validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...izzatisholehah
92 views30 slides

Similar to SSO using CAS + two-factor authentication (PyGrunn 2014 talk)(20)

Two-factor Authentication by PortalGuard dba PistolStar, Inc.
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
PortalGuard dba PistolStar, Inc.1.3K views
Authentication without Authentication - AppSec California by Soluto
Authentication without Authentication - AppSec CaliforniaAuthentication without Authentication - AppSec California
Authentication without Authentication - AppSec California
Soluto462 views
How to build Simple yet powerful API.pptx by Channa Ly
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptx
Channa Ly10 views
W01 Levent Gurses X by Movel
W01 Levent Gurses XW01 Levent Gurses X
W01 Levent Gurses X
Movel281 views
Usability vs. Security: Find the Right Balance in Mobile Apps by Josiah Renaudin
Usability vs. Security: Find the Right Balance in Mobile AppsUsability vs. Security: Find the Right Balance in Mobile Apps
Usability vs. Security: Find the Right Balance in Mobile Apps
Josiah Renaudin1.2K views
validation of user credentials in social network by using Django backend aut... by izzatisholehah
validation of user credentials in social network by using Django backend aut...validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...
izzatisholehah92 views
API Security In Cloud Native Era by WSO2
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
WSO2545 views
kicking your enterprise security up a notch with adaptive authentication sa... by Sagara Gunathunga
kicking your enterprise security up a notch with adaptive authentication sa...kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication sa...
Sagara Gunathunga71 views
International Journal of Engineering Inventions (IJEI) by International Journal of Engineering Inventions www.ijeijournal.com
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions www.ijeijournal.com255 views
Mobile Enterprise Application Platform by Nugroho Gito
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application Platform
Nugroho Gito1.5K views
Cartes Asia Dem 2010 V2 by Donald Malloy
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
Donald Malloy1.8K views
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A... by WSO2
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
WSO2252 views
JDD2015: Security in the era of modern applications and services - Bolesław D... by PROIDEA
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA219 views
ISS SA le presenta IdentityGuard de Entrust by Information Security Services SA
ISS SA le presenta IdentityGuard de EntrustISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de Entrust
Information Security Services SA5.2K views
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ... by WSO2
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
WSO2341 views
Distributed Authorization with Open Policy Agent.pdf by Nordic APIs
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdf
Nordic APIs10 views
Making User Authentication More Usable by Jim Fenton
Making User Authentication More UsableMaking User Authentication More Usable
Making User Authentication More Usable
Jim Fenton633 views
OWASP Top 10 Proactive Control 2016 (C5-C10) by Narudom Roongsiriwong, CISSP
OWASP Top 10 Proactive Control 2016 (C5-C10)OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)
Narudom Roongsiriwong, CISSP1.7K views
Document Management and Digitization solutions for medium sized Enterprises by TeamBreota
Document Management and Digitization solutions for medium sized EnterprisesDocument Management and Digitization solutions for medium sized Enterprises
Document Management and Digitization solutions for medium sized Enterprises
TeamBreota77 views
Live Identity Services Drilldown - PDC 2008 by Jorgen Thelin
Live Identity Services Drilldown - PDC 2008Live Identity Services Drilldown - PDC 2008
Live Identity Services Drilldown - PDC 2008
Jorgen Thelin1.4K views

Recently uploaded

The Research Portal of Catalonia: Growing more (information) & more (services) by
The Research Portal of Catalonia: Growing more (information) & more (services)The Research Portal of Catalonia: Growing more (information) & more (services)
The Research Portal of Catalonia: Growing more (information) & more (services)CSUC - Consorci de Serveis Universitaris de Catalunya
79 views25 slides
Roadmap to Become Experts.pptx by
Roadmap to Become Experts.pptxRoadmap to Become Experts.pptx
Roadmap to Become Experts.pptxdscwidyatamanew
14 views45 slides
Perth MeetUp November 2023 by
Perth MeetUp November 2023 Perth MeetUp November 2023
Perth MeetUp November 2023 Michael Price
19 views44 slides
Kyo - Functional Scala 2023.pdf by
Kyo - Functional Scala 2023.pdfKyo - Functional Scala 2023.pdf
Kyo - Functional Scala 2023.pdfFlavio W. Brasil
298 views92 slides
SAP Automation Using Bar Code and FIORI.pdf by
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdfVirendra Rai, PMP
22 views38 slides
Tunable Laser (1).pptx by
Tunable Laser (1).pptxTunable Laser (1).pptx
Tunable Laser (1).pptxHajira Mahmood
24 views37 slides

Recently uploaded(20)

The Research Portal of Catalonia: Growing more (information) & more (services) by CSUC - Consorci de Serveis Universitaris de Catalunya
The Research Portal of Catalonia: Growing more (information) & more (services)The Research Portal of Catalonia: Growing more (information) & more (services)
The Research Portal of Catalonia: Growing more (information) & more (services)
CSUC - Consorci de Serveis Universitaris de Catalunya79 views
Roadmap to Become Experts.pptx by dscwidyatamanew
Roadmap to Become Experts.pptxRoadmap to Become Experts.pptx
Roadmap to Become Experts.pptx
dscwidyatamanew14 views
Perth MeetUp November 2023 by Michael Price
Perth MeetUp November 2023 Perth MeetUp November 2023
Perth MeetUp November 2023
Michael Price19 views
Kyo - Functional Scala 2023.pdf by Flavio W. Brasil
Kyo - Functional Scala 2023.pdfKyo - Functional Scala 2023.pdf
Kyo - Functional Scala 2023.pdf
Flavio W. Brasil298 views
SAP Automation Using Bar Code and FIORI.pdf by Virendra Rai, PMP
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdf
Virendra Rai, PMP22 views
Tunable Laser (1).pptx by Hajira Mahmood
Tunable Laser (1).pptxTunable Laser (1).pptx
Tunable Laser (1).pptx
Hajira Mahmood24 views
Voice Logger - Telephony Integration Solution at Aegis by Nirmal Sharma
Voice Logger - Telephony Integration Solution at AegisVoice Logger - Telephony Integration Solution at Aegis
Voice Logger - Telephony Integration Solution at Aegis
Nirmal Sharma31 views
Melek BEN MAHMOUD.pdf by MelekBenMahmoud
Melek BEN MAHMOUD.pdfMelek BEN MAHMOUD.pdf
Melek BEN MAHMOUD.pdf
MelekBenMahmoud14 views
Data-centric AI and the convergence of data and model engineering: opportunit... by Paolo Missier
Data-centric AI and the convergence of data and model engineering: opportunit...Data-centric AI and the convergence of data and model engineering: opportunit...
Data-centric AI and the convergence of data and model engineering: opportunit...
Paolo Missier39 views
Vertical User Stories by Moisés Armani Ramírez
Vertical User StoriesVertical User Stories
Vertical User Stories
Moisés Armani Ramírez12 views
The details of description: Techniques, tips, and tangents on alternative tex... by BookNet Canada
The details of description: Techniques, tips, and tangents on alternative tex...The details of description: Techniques, tips, and tangents on alternative tex...
The details of description: Techniques, tips, and tangents on alternative tex...
BookNet Canada126 views
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ... by Prity Khastgir IPR Strategic India Patent Attorney Amplify Innovation
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...
Prity Khastgir IPR Strategic India Patent Attorney Amplify Innovation25 views
Special_edition_innovator_2023.pdf by WillDavies22
Special_edition_innovator_2023.pdfSpecial_edition_innovator_2023.pdf
Special_edition_innovator_2023.pdf
WillDavies2217 views
Top 10 Strategic Technologies in 2024: AI and Automation by AutomationEdge Technologies
Top 10 Strategic Technologies in 2024: AI and AutomationTop 10 Strategic Technologies in 2024: AI and Automation
Top 10 Strategic Technologies in 2024: AI and Automation
AutomationEdge Technologies18 views
handbook for web 3 adoption.pdf by Liveplex
handbook for web 3 adoption.pdfhandbook for web 3 adoption.pdf
handbook for web 3 adoption.pdf
Liveplex22 views
AMAZON PRODUCT RESEARCH.pdf by JerikkLaureta
AMAZON PRODUCT RESEARCH.pdfAMAZON PRODUCT RESEARCH.pdf
AMAZON PRODUCT RESEARCH.pdf
JerikkLaureta19 views
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院 by IttrainingIttraining
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
IttrainingIttraining41 views
From chaos to control: Managing migrations and Microsoft 365 with ShareGate! by sammart93
From chaos to control: Managing migrations and Microsoft 365 with ShareGate!From chaos to control: Managing migrations and Microsoft 365 with ShareGate!
From chaos to control: Managing migrations and Microsoft 365 with ShareGate!
sammart939 views
Microsoft Power Platform.pptx by Uni Systems S.M.S.A.
Microsoft Power Platform.pptxMicrosoft Power Platform.pptx
Microsoft Power Platform.pptx
Uni Systems S.M.S.A.52 views
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by Network Automation Forum
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Network Automation Forum30 views

SSO using CAS + two-factor authentication (PyGrunn 2014 talk)

  • 1. Modern authentication techniques in Python web applications Artur Barseghyan Goldmund, Wyldebeast & Wunderliebe http://www.goldmund-wyldebeast-wunderliebe.nl/ artur.barseghyan@gmail.com https://github.com/barseghyanartur
  • 2. Part 1 Single Sign-on using Central Authentication Service
  • 3. A single framework/application User base Framework/application Authentication system Other importants parts not related to this talk
  • 4. Typical framework/application authentication flow User requests content requiring authentication User gets the content requested Is user authenticated? Authenticate user User provides credentials (login page) Are credentials correct? Yes No Yes No
  • 5. Multiple web frameworks/applications User base 1 Framework/application 1 Authentication system 1 Other importants parts not related to this talk User base 2 Framework/application 2 Authentication system 2 Other importants parts not related to this talk User base N Framework/application N Authentication system N Other importants parts not related to this talk ... Web portal (ex. DMS, intranet, wiki, etc.)
  • 6. Without Single Sign-on... ● Use a single framework/application and write lots of apps OR ● Use multiple frameworks/applications and: ○ Hack their authentication systems OR ○ Expect users to login into each of them OR ○ Make them communicate via customly built API ● More (bad) ideas?
  • 7. With Single Sign-on... ● User logs in once and gains access to all systems without being prompted to log in again.
  • 8. (JaSig) CAS Enterprise Single Sign-on solution ● Open source ● Well documented ● Scalable ● Modular and highly pluggable (MySQL, PostgreSQL, Oracle, LDAP, SPINEGO, RADIUS, etc.) ● Lots of ready-to-use clients and plugins
  • 9. (JaSig) CAS CAS involves at least three parties: ● A client web browser ● Web application requesting authentication ● The CAS server It also optionally may involve: ● Back-end service, such as a database server
  • 11. CAS authentication schema User requests content which requires authentication User is asked to provide credentials (login page) Create SSO token and redirect User gets the content requested No Yes No Yes Is user authenticated into app? No Yes Authenticate user (CAS) CAS server Authenticate user (locally) Are credentials correct? Is user authenticated into CAS? CAS client (web application)
  • 12. Pros of CAS Pros ● Centralised authentication for all frameworks/applications. ● Actively maintained and developed. Large community. ● Modular and highly pluggable (MySQL, PostgreSQL, Oracle, Active Directory, LDAP, SPINEGO, RADIUS, etc.). ● Lots of ready-to-use packages for many frameworks/applications. ● Less passwords to retype, remember and recover. ● More of your own code is reusable. ● Happier end-users. ● REST API.
  • 13. Cons of CAS Cons ● SSO availability becomes critical. ● SSO security becomes critical.
  • 14. Our use case Dashboard app ● Django Server A CAS server Server C User base ● Active Directory Server D VPN ● Apache ● Tomcat ● Debian ● Java ● CAS ● OpenVPN ● AJP ● Python ● Django ● Plone More to come Server X DMS ● Plone Server B
  • 16. CAS alternatives 1 / n JOSSO http://www.josso.org OpenAM (formerly known as OpenSSO) http://openam.forgerock.org Pubcookie http://www.pubcookie.org CoSign http://weblogin.org
  • 17. Linkodrome 1 / n Software packages JaSig CAS http://www.jasig.org/cas Django CAS client https://github.com/Goldmund-Wyldebeast-Wunderliebe/django-cas-consumer Plone CAS client https://github.com/collective/anz.casclient Detailed installation instructions http://bit.ly/1uuk2BS
  • 19. Standard authentication flow User requests content requiring authentication User gets the content requested Is user authenticated? Authenticate user User provides credentials (login page) Are credentials correct? Yes Yes No No
  • 20. ● Knowledge factor ("something only the user knows"): a password or a PIN. ● Possession factor ("something only the user has"): ATM card, smart card, mobile phone. ● Inherence factor ("something only the user is"): Fingerprint or voiceprint. Standard authentication factors
  • 21. Common advises on remembering many passwords ● Use complex passwords and have them saved in password managers. ● Use complex passwords, write them on paper and carry them in your wallet. Passwords aren’t enough!
  • 22. Two-factor authentication ● Knowledge factor ("something only the user knows"): a password or a PIN. ● Possession factor ("something only the user has"): ATM card, smart card, mobile phone. ● Inherence factor ("something only the user is"): Fingerprint or voiceprint.
  • 23. Standard authentication flow User requests content requiring authentication User provides credentials No Yes Is user authenticated ? Authenticate user Yes No Are credentials correct? User gets the content requested
  • 24. Two-factor authentication flow User requests content requiring authentication User provides credentials No Yes User provides second factor token Is token correct ? Yes No Second factor Is user authenticated ? Authenticate user Yes No Are credentials correct? User gets the content requested
  • 25. (Common) solutions ● SMS authentication ● Google Authenticator (mobile app) ● Hardware token generators
  • 28. Our use cases ● collective.googleauthenticator (uses Google Authenticator app) ● collective.smsauthenticator (login codes sent by SMS)
  • 34. Alternatives ● Risk-based authentication (based on behavioral biometrics, keystroke dynamics, etc.) ● Strong authentication ● Reliance authentication
  • 35. Linkodrome Plone ● collective.googleauthenticator (two-factor authentication using Google Authenticator app) https://pypi.python.org/pypi/collective.googleauthenticator ● collective.smsauthenticator (two-factor authentication using login codes sent by SMS) https://pypi.python.org/pypi/collective.smsauthenticator Django ● django-two-factor-auth (two-factor authentication using Google Authenticator or login codes sent by SMS) https://pypi.python.org/pypi/django-two-factor-auth ● django-otp (pluggable framework for adding two-factor authentication using OTP.) https://pypi.python.org/pypi/django-otp
  • 37. Thank you! Artur Barseghyan Goldmund, Wyldebeast & Wunderliebe artur.barseghyan@gmail.com https://github.com/barseghyanartur