CAS - jak zaimplementować single sign-on w swoim serwisie?
65
MAREK STĘPNIOWSKI @mstepniowski
-
Upload
konrad-halas -
Category
Documents
-
view
490 -
download
3
Transcript of CAS - jak zaimplementować single sign-on w swoim serwisie?
MAREK STĘPNIOWSKI@mstepniowski
SINGLE SIGN-ON
Redmine - zarządzanie projektamiredmine.nowoczesnapolska.org.pl
Platforma Redakcyjnaredakcja.wolnelektury.pl
Redmine - zarządzanie projektamiredmine.nowoczesnapolska.org.pl
Platforma Redakcyjnaredakcja.wolnelektury.pl
Wolne Lekturywolnelektury.pl
Wolne Podręcznikiwiki.wolnepodreczniki.pl
Blognowoczesnapolska.org.pl
•Kerberos
•LDAP
•Active Directory
We don’t need nostinkin’ protocols!“
•CAS
•OpenID
•OAuth
CASJasig
redirect
Login: ________ Pass: ________
Login: marek Pass: ********
redirect(with token)
check token
yesmarek
no
FEATURES
• Centralized - all passwords are stored in one place
• Subsequent logins can happen without user interaction
• Easy to implement
GATEWAY AUTH
(accessing public webpage)
GATEWAY AUTH
redirect
GATEWAY AUTH
redirect(with token)
Note We don’t show the login form, even if the user is not logged in
GATEWAY AUTH
check token
GATEWAY AUTH
yesmarek
no
GATEWAY AUTH
If authentication was succesful serve the modified page
JAVASCRIPT AUTH
SINGLE SIGN-OFF
SINGLE SIGN-OFF
Sign off
SINGLE SIGN-OFFBut... It doesn’t scale!
Facebook uses delayed single sign-off:
• First cookie is long lived and keeps the user session
• Second cookie required to perform API calls is short lived and needs to be refreshed using the first cookie
• Signing off from Facebook deletes both cookies
CAS 2.0
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>marek</cas:user> </cas:authenticationSuccess></cas:serviceResponse>
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code="INVALID_TICKET"> Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure></cas:serviceResponse>
Oh hai, XML!
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>marek</cas:user> <cas:proxyGrantingTicket> PGTIOU-84678-8a9d... </cas:proxyGrantingTicket> </cas:authenticationSuccess></cas:serviceResponse>
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code="INVALID_TICKET"> Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure></cas:serviceResponse>
Oh hai, XML!
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>marek</cas:user> <cas:proxyGrantingTicket> PGTIOU-84678-8a9d... </cas:proxyGrantingTicket> <fullName>Marek Stępniowski</fullName> <isAdmin>yes<isAdmin> </cas:authenticationSuccess></cas:serviceResponse>
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code="INVALID_TICKET"> Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure></cas:serviceResponse>
Oh hai, XML!
CAS 3.0
STUCK IN A LIMBOAdds attribute exchange
(most clients implement it as an extension of 2.0)
• Django
https://github.com/zuber/django-cas-providerhttps://github.com/zuber/django-cas-consumer
• Python
https://wiki.jasig.org/display/CASC/Pycas
• Ruby
http://code.google.com/p/rubycas-server/http://code.google.com/p/rubycas-client/
+many more
• Django
https://github.com/zuber/django-cas-providerhttps://github.com/zuber/django-cas-consumer
• Python
https://wiki.jasig.org/display/CASC/Pycas
• Ruby
http://code.google.com/p/rubycas-server/http://code.google.com/p/rubycas-client/
+many more
The simplest single sign-on solution available
OpenID: ________
OpenID: stepniowski.com
redirect
stepniowski.com
Login: ________ Pass: ________
stepniowski.com
Login: marek Pass: ********
stepniowski.com
redirect(with token)
stepniowski.com
check token
stepniowski.com
yes|no
stepniowski.com
stepniowski.com
FEATURES
Strangely similar to CAS
FEATURES
• Decentralized - you don’t need to store passwords at all
• Single sign-on but not single sign-in
• Hard to implement - delegation requires an HTML parser
openid.sreg
openid.ax
2.0
• Django
https://github.com/omab/django-social-auth
• Python
https://github.com/openid/python-openid
• Ruby
https://github.com/openid/ruby-openid
+many more
COMPARISON
CAS OpenID
• Centralized
• Single sign-on and sign-in
• Easy to implement
• Decentralized
• Only single sign-on
• Hard to implement
• Attribute exchange (CAS 3.0)
• Single sign-off
• Gateway authentication
• openid.sreg and openid.ax
• Single sign-off
• Browser extensions
ASK FOR ITAnd I will create a separate presentation
MAREK STĘPNIOWSKI@mstepniowski
DJANGOPIWOWarsaw SetJam HQ
WednesdayAugust 24th
@mstepniowski@marcink^marcinkaszynski
