Extending drupal authentication


Published on

Slides from Sacramento Drupal camp presentation

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • 30/60 me
  • As of Drupal 7 we now can use PDO and with DBTNG we are now database neutral. Bigger issue is on the right where they are discussing authentication type. And that is the subject of this d
  • Extending drupal authentication

    1. 1. Charles Russell CTSCUC Davis Medical Center Bennubird Media SacProNet
    2. 2. http://web-cms.findthebest.com/compare/2-42/Drupal-vs-Liferay-Portal
    3. 3. • Multi Layered Security System • Account/Role based • SQL table based and internal into the system • OpenID (optional)Great for a stand alone site, but what if • You have to integrate with legacy systems • You have to tie this site to other service providers not using Drupal. • You have to coordinate with other organizations
    4. 4. • Directory Based • May be some type of SQL based system • LDAP (Lightweight Directory Access Protocol)• Central Single Sign On • Kerberose • CAS (Central Access System)• Federated System • OpenID • SAML (Security Assertion Markup Language) • XACML ( eXtensible Access Control Markup Language) • Shibboleth • Oauth
    5. 5. • Identity Providers (IP) • Verify and provide credentials• Service Providers (SP) • Provide the requested services if user authenticatesIn a Drupal only site Drupal is both IP and SP
    6. 6. • Drupal requires accounts• Drupal needs three pieces of information to establish an account. • User name • Password • Email• Direct Login is possible and plans should be made to handle the case that the IP no longer certifies the user.
    7. 7. There are many SQL implementations are custom so lookup is going resist generic a generic solutionLDAP is a standard and fortunately is the most commonimplementation of directory.A good argument could be made that Drupal’s nativeauthentication is of this type
    8. 8. Directory System Agent is contacted by a client whichsends a response back to the client.• Requests and Responses are sent in plain text• Every entry has a unique Identifier DN and a set of attributes.
    9. 9. http://drupal.org/project/ldapDrupal 6 use LDAP Integration Module not LDAP Module
    10. 10. Allows users throughout an organization use a singlepassword to access all of the resources of thatorganization.• Passwords are not shared with the application• Communication between client and server are encrypted and prevents eves dropping and replay attacks• Kerberos and CAS Protocols are the most common implementation.
    11. 11. Developed at MIT as part of Project Athena which was a project a campuswide computing environment
    12. 12. http://drupal.org/project/kerberos_authentication
    13. 13. Developed at Yale University. Currently maintained by JavaArchitectures Special Interest Group.
    14. 14. http://drupal.org/project/cas
    15. 15. Allows access to users of the system outside of their localenvironment, sending identity information to the applicationor site that has already been verified by the IPAllows you to send users to external resources and allowsexternal resources to in a secure way to use your site..There is a long list of federated protocols some of the morepopular open source solutions are OpenID, OAuth, SAML, andShibboleth.
    16. 16. • Developed in 2005 Originally Called YADIS• Comes with Drupal Out of the box• Because Drupal requires user and password Open id must be assigned to Drupal user• Email still required so legitimacy can be established• Documentation at http://Drupal.org/documentation/modules/openid
    17. 17. • Grew out of Open ID• Commercial use very common• Allows sharing of private information with giving out credentials
    18. 18. http://drupal.org/project/oauth
    19. 19. • Shibboleth is an open-source project that provides Single Sign-On capabilities and allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.• Very common in education and government• Shibboleth home page http://shibboleth.net
    20. 20. http://drupal.org/project/shib_auth
    21. 21. Organization for the Advancement of Structured Information Standards
    22. 22. • XML Based mark up language to assert Identity • Usually assertion sent as web service in soap wrapper<saml:Assertion Version="2.0" IssueInstant="2009-02-04T23:08:00.173Z" ID="el-hJZpkAd5XlBywvK_LxieTaC."> <saml:Issuer>IDFED_E2E_IDP_SP_APP</saml:Issuer> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#el-hJZpkAd5XlBywvK_LxieTaC."> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>A7IVn/YqCJW6ZQT9/PqFBdZzhuY=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> ……….</saml:Assertion >