Building an SSO platformIvo Jansch - EgeniqNovember 4, 2010 - Zendcon
About Egeniq
Startup
Mobile
Tech
Knowledge
Geeks
Development
About Me
@ijansch
Developer
Author
Entreprenerd
PHP
Single Sign OnWhy do we need it?
We use many applications
Your other corporate application
Your corporate application
Across devices and locations
Your other corporate application
Your corporate application
A quick poll
Level 0 - One PasswordTo Rule Them All
1 password to rule them all
Your other corporate application
Your corporate application
Level 1 - Shared IdentityUsing a single authentication backend for apps
Shared Identity
Your other corporate application
Your corporate application
LDAPServer
Level 2 - OpenIDUsing OpenID for external Identity Management
OpenID Flow
OpenIDConsumer
OpenIDProvider
OpenIDConsumer
OpenID Demo
OpenIDProvider
index.php
login.php
consume.php
Protecting the secret
Delegate to OpenID provider
Consume the response
Caveats
OpenID providers hesitant to be OpenID consumers
No trust establishment between consumer and provider
Level 3 - OAuthUsing OAuth for external IDM and authorization
OAuth Flow
OAuthConsumer
OAuthProvider
Landing adjusted for OAuth
OAuth Configuration
Delegate auth to Twitter
Consuming the response
Level 4 - SAMLCreating our own Identity Provider
SAML
Security Assertion Markup Language
XML standard by OASIS
Assertions contain:
Proof of Identity
Attributes
Supports XML signatures and encryption
SAML Flow
Service Provider
IdentityProvider
AuthBackend (LDAP, ...)
SimpleSAMLphp
Service Provider
Identity Provider
SimpleSAMLPHP
SimpleSAMLPHP
AuthBackend (LDAP, ...)
IDP SimpleSAMLphp setup
IDP Auth Source Configuration
IDP Hosted Configuration
IDP Remote Configuration
IDP Virtual Host Apache Config
Testing the IDP
SP SimpleSAMLphp setup
SP Auth Source Configuration
SP Remote Configuration
Back to our landing page
Delegate auth to the IDP
Integrating 3d party appsSimplesamlphp is easy to integrate
WordpressPlugin:
http://wordpress.org/extend/plugins/simplesamlphp-authentication/
MediaWikiPlugin:
http://www.mediawiki.org/wiki/Extension:SAMLAuth
SugarCRM
Plugin: didn’t work
Problem: auth structure
Solution: hacking the source
Options:
Contact me if you need to get SugarCRM to do SSO :-)
Wait for SugarCRM 6.1, it contains a working SAML plugin (/via @smalyshev)
Google Apps
Requires Premier or Education Edition
Configure SAML endpoint => Done!
Docs:
http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html
Google Apps
Making apps SSO ready
Application
Logged in?
Auth Plugin
Yes
Show Site
LoginForm
Authenticate
Start
No
Making apps SSO ready
Application
Logged in?
Auth Plugin
Yes
Show Site
LoginForm
Authenticate
Start
No
Making apps SSO ready
Application
Logged in?
Auth Plugin
Yes
Show Site
LoginForm
Authenticate
Start
No
Making apps SSO ready
Application
Logged in?
Auth Plugin
Authenticate
Start
No
LoginForm
Show Site
LoginForm
Yes
Level 5 - FederationDealing with multiple Identity Providers
Federation
Service Provider
AuthenticationFederation
Identity Provider
Identity Provider
Confederation
Service Provider
Authentication Federation
Identity Provider
Identity Provider
AuthenticationFederation
Identity Provider
Collaboration Infrastructures
http://www.surfnet.nl/en/Thema/coin/Pages/Default.aspx
The Future
The Future
ConclusionWhat should you take away from this talk?
In your next project...
You will NOT create more userids !!
You WILL use standard protocols !!
Thank [email protected] http://www.egeniq.com @ijansch @egeniq
Please leave feedback at: http://joind.in/2282
CreditsPictures used in this presentation are creative commons attribution licensed pictures. Here are the owners and the URLS where the originals can be found:
‘Multiple Padlock Farm Gate’ by Mike Baird - http://www.flickr.com/photos/mikebaird/2354116406/
‘Love Locks’ by James Manners - http://www.flickr.com/photos/jmanners/443421045/
‘Seguridad’ by Juan J. Martinez - http://www.flickr.com/photos/reidrac/4696900602/
‘Hotel Keys by Henri Bergius - http://www.flickr.com/photos/bergie/3468886680/
‘OAuth Shiny’ by Chris Messina - http://www.flickr.com/photos/factoryjoe/3343062926/
‘Take a number please’ by Andres Rueda - http://www.flickr.com/photos/andresrueda/3259487071/
’38/365 Puzzled’ by Mykl Roventine - http://www.flickr.com/photos/myklroventine/3261364899/
‘Visiting Portage’ by Jeremy Bronson - http://www.flickr.com/photos/jbrons/4444017497/
‘_dsc8037’ by Sergey Vladimirov - http://www.flickr.com/photos/vlsergey/4138735474/
Application logo’s and other icons have been used under the assumption that use of them in this context is considered fair use.