The document presents a discussion by Ivo Jansch on building a Single Sign-On (SSO) platform, covering different levels of identity management protocols such as LDAP, OpenID, OAuth, SAML, and federation management. It emphasizes the importance of not creating more user IDs and utilizing standard protocols for authentication in future projects. Additionally, it provides references and resources for integrating SSO with various applications.

1. Building an SSO platform
Ivo Jansch - Egeniq
November 4, 2010 - Zendcon

2. About Egeniq
Startup
Mobile
Tech
Knowledge
Geeks
Development

3. About Me
@ijansch
Developer
Author
Entreprenerd
PHP

4. Single Sign On
Why do we need it?

5. We use many applications
Your other
corporate
application
Your
corporate
application

6. Across devices and locations
Your other
corporate
application
Your
corporate
application

7. A quick poll

8. Level 0 - One Password
To Rule Them All

9. 1 password to rule them all
Your other
corporate
application
Your
corporate
application

10. Level 1 - Shared Identity
Using a single authentication backend for apps

11. Shared Identity
Your other
corporate
application
Your
corporate
application
LDAP
Server

12. Level 2 - OpenID
Using OpenID for external Identity Management

13. OpenID Flow
OpenID
Consumer
OpenID
Provider

14. OpenID
Consumer
OpenID Demo
OpenID
Provider
index.php
login.php
consume
.php

15. Protecting the secret

16. Delegate to OpenID provider

17. Consume the response

18. Caveats
OpenID providers hesitant to be OpenID consumers
No trust establishment between consumer and
provider

19. Level 3 - OAuth
Using OAuth for external IDM and authorization

20. OAuth Flow
OAuth
Consumer
OAuth
Provider

21. Landing adjusted for OAuth

22. OAuth Configuration

23. Delegate auth to Twitter

24. Consuming the response

25. Level 4 - SAML
Creating our own Identity Provider

26. SAML
Security Assertion Markup Language
XML standard by OASIS
Assertions contain:
Proof of Identity
Attributes
Supports XML signatures and encryption

27. SAML Flow
Service
Provider
Identity
Provider
Auth
Backend
(LDAP, ...)

28. SimpleSAMLphp
Service
Provider
Identity Provider
SimpleSAMLPHP
Simple
SAML
PHP
Auth
Backend
(LDAP, ...)

29. IDP SimpleSAMLphp setup

30. IDP Auth Source Configuration

31. IDP Hosted Configuration

32. IDP Remote Configuration

33. IDP Virtual Host Apache Config

34. Testing the IDP

35. SP SimpleSAMLphp setup

36. SP Auth Source Configuration

37. SP Remote Configuration

38. Back to our landing page

39. Delegate auth to the IDP

40. Integrating 3d party apps
Simplesamlphp is easy to integrate

41. Wordpress
Plugin:
http://wordpress.org/extend/plugins/simplesamlphp-authentication/

42. MediaWiki
Plugin:
http://www.mediawiki.org/wiki/Extension:SAMLAuth

43. SugarCRM
Plugin: didn’t work
Problem: auth structure
Solution: hacking the source
Options:
Contact me if you need to get SugarCRM to do
SSO :-)
Wait for SugarCRM 6.1, it contains a working SAML
plugin (/via @smalyshev)

44. Google Apps
Requires Premier or Education Edition
Configure SAML endpoint => Done!
Docs:
http://code.google.com/googleapps/domain/sso/
saml_reference_implementation.html

45. Google Apps

46. Making apps SSO ready
Application
Logged
in?
Auth Plugin
Yes
Show
Site
Login
Form
Authenticate
Start
No

47. Making apps SSO ready
Application
Logged
in?
Auth Plugin
Yes
Show
Site
Login
Form
Authenticate
Start
No

48. Making apps SSO ready
Application
Logged
in?
Auth Plugin
Yes
Show
Site
Login
Form
Authenticate
Start
No

49. Making apps SSO ready
Application
Logged
in?
Auth Plugin
Authenticate
Start
No
Login
Form
Show
Site
Login
Form
Yes

50. Level 5 - Federation
Dealing with multiple Identity Providers

51. Federation
Service
Provider
Authentication
Federation
Identity
Provider
Identity
Provider

52. Confederation
Service
Provider
Authentication
Federation
Identity
Provider
Identity
Provider
Authentication
Federation
Identity
Provider

53. Collaboration Infrastructures
http://www.surfnet.nl/en/Thema/coin/Pages/Default.aspx

54. The Future

55. The Future

56. Conclusion
What should you take away from this talk?

57. In your next project...
You will NOT create more userids !!
You WILL use standard protocols !!

58. Thank You
ivo@egeniq.com http://www.egeniq.com
@ijansch @egeniq
Please leave feedback at: http://joind.in/2282

59. Credits
Pictures used in this presentation are creative commons attribution licensed pictures.
Here are the owners and the URLS where the originals can be found:
‘Multiple Padlock Farm Gate’ by Mike Baird - http://www.flickr.com/photos/mikebaird/2354116406/
‘Love Locks’ by James Manners - http://www.flickr.com/photos/jmanners/443421045/
‘Seguridad’ by Juan J. Martinez - http://www.flickr.com/photos/reidrac/4696900602/
‘Hotel Keys by Henri Bergius - http://www.flickr.com/photos/bergie/3468886680/
‘OAuth Shiny’ by Chris Messina - http://www.flickr.com/photos/factoryjoe/3343062926/
‘Take a number please’ by Andres Rueda - http://www.flickr.com/photos/andresrueda/3259487071/
’38/365 Puzzled’ by Mykl Roventine - http://www.flickr.com/photos/myklroventine/3261364899/
‘Visiting Portage’ by Jeremy Bronson - http://www.flickr.com/photos/jbrons/4444017497/
‘_dsc8037’ by Sergey Vladimirov - http://www.flickr.com/photos/vlsergey/4138735474/
Application logo’s and other icons have been used under the assumption that use of them in this context is
considered fair use.