MAREK STĘPNIOWSKI@mstepniowski

SINGLE SIGN-ON

Redmine - zarządzanie projektamiredmine.nowoczesnapolska.org.pl

Platforma Redakcyjnaredakcja.wolnelektury.pl

Redmine - zarządzanie projektamiredmine.nowoczesnapolska.org.pl

Platforma Redakcyjnaredakcja.wolnelektury.pl

Wolne Lekturywolnelektury.pl

Wolne Podręcznikiwiki.wolnepodreczniki.pl

Blognowoczesnapolska.org.pl

•Kerberos

•LDAP

•Active Directory

We don’t need nostinkin’ protocols!“

•CAS

•OpenID

•OAuth

CASJasig

redirect

Login: ________ Pass: ________

Login: marek Pass: ********

redirect(with token)

check token

yesmarek

no

FEATURES

• Centralized - all passwords are stored in one place

• Subsequent logins can happen without user interaction

• Easy to implement

GATEWAY AUTH

(accessing public webpage)

GATEWAY AUTH

redirect

GATEWAY AUTH

redirect(with token)

Note We don’t show the login form, even if the user is not logged in

GATEWAY AUTH

check token

GATEWAY AUTH

yesmarek

no

GATEWAY AUTH

If authentication was succesful serve the modified page

JAVASCRIPT AUTH

SINGLE SIGN-OFF

SINGLE SIGN-OFF

Sign off

SINGLE SIGN-OFFBut... It doesn’t scale!

Facebook uses delayed single sign-off:

• First cookie is long lived and keeps the user session

• Second cookie required to perform API calls is short lived and needs to be refreshed using the first cookie

• Signing off from Facebook deletes both cookies

CAS 2.0

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>marek</cas:user> </cas:authenticationSuccess></cas:serviceResponse>

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code="INVALID_TICKET"> Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure></cas:serviceResponse>

Oh hai, XML!

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>marek</cas:user> <cas:proxyGrantingTicket> PGTIOU-84678-8a9d... </cas:proxyGrantingTicket> </cas:authenticationSuccess></cas:serviceResponse>

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code="INVALID_TICKET"> Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure></cas:serviceResponse>

Oh hai, XML!

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>marek</cas:user> <cas:proxyGrantingTicket> PGTIOU-84678-8a9d... </cas:proxyGrantingTicket> <fullName>Marek Stępniowski</fullName> <isAdmin>yes<isAdmin> </cas:authenticationSuccess></cas:serviceResponse>

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code="INVALID_TICKET"> Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure></cas:serviceResponse>

Oh hai, XML!

CAS 3.0

STUCK IN A LIMBOAdds attribute exchange

(most clients implement it as an extension of 2.0)

• Django

https://github.com/zuber/django-cas-providerhttps://github.com/zuber/django-cas-consumer

• Python

https://wiki.jasig.org/display/CASC/Pycas

• Ruby

http://code.google.com/p/rubycas-server/http://code.google.com/p/rubycas-client/

+many more

• Django

https://github.com/zuber/django-cas-providerhttps://github.com/zuber/django-cas-consumer

• Python

https://wiki.jasig.org/display/CASC/Pycas

• Ruby

http://code.google.com/p/rubycas-server/http://code.google.com/p/rubycas-client/

+many more

The simplest single sign-on solution available

OpenID: ________

OpenID: stepniowski.com

redirect

stepniowski.com

Login: ________ Pass: ________

stepniowski.com

Login: marek Pass: ********

stepniowski.com

redirect(with token)

stepniowski.com

check token

stepniowski.com

yes|no

stepniowski.com

stepniowski.com

FEATURES

Strangely similar to CAS

FEATURES

• Decentralized - you don’t need to store passwords at all

• Single sign-on but not single sign-in

• Hard to implement - delegation requires an HTML parser

openid.sreg

openid.ax

2.0

• Django

https://github.com/omab/django-social-auth

• Python

https://github.com/openid/python-openid

• Ruby

https://github.com/openid/ruby-openid

+many more

COMPARISON

CAS OpenID

• Centralized

• Single sign-on and sign-in

• Easy to implement

• Decentralized

• Only single sign-on

• Hard to implement

• Attribute exchange (CAS 3.0)

• Single sign-off

• Gateway authentication

• openid.sreg and openid.ax

• Single sign-off

• Browser extensions

ASK FOR ITAnd I will create a separate presentation

MAREK STĘPNIOWSKI@mstepniowski

http://www.setjam.com/jobs/

WE’RE HIRING!

DJANGOPIWOWarsaw SetJam HQ

WednesdayAugust 24th

@mstepniowski@marcink^marcinkaszynski