single sign on in ruby - enterprise ready!

Single Sign OnEnterprizzzey ready!

Nikos Dimitrakopoulos | @nikosd

Single Sign On (really)

● Centralized (almost) authentication● Login once - be logged-in in multiple

services● More than just "no password required"● Single Log Out● Actual "authenticator" can be an outsider

(Facebook, Twitter, or whatever...)

shamelessy stolen from http://merbist.com/2012/04/04/building-and-implementing-a-single-sign-on-solution/

Additional specs

● KISS (reaaaaally simple)● DRY● Modular● Extensible● Ruby!

Components

● Standard● Ruby implementation for standard● An actual *abstract* server

Standards

● OpenID● OAuth● CAS● Shibboleth● SAML● Custom

OpenID

● Decentralization of authentication● Not about Single Sign On

Standards

● OpenID● OAuth● CAS● Shibboleth● SAML● Custom

OAuth

● Authorization ● NOT authentication

Standards

● OpenID● OAuth● CAS● Shibboleth● SAML● Custom

CAS

● Not bad...● With a lot of free implementations :

○ RubyCAS-Server○ Jasig CAS (Java)○ ...○

Standards

● OpenID● OAuth● CAS● Shibboleth● SAML● Custom

Shibboleth

● Actually got integrated in SAML 2.0...

Standards

● OpenID● OAuth● CAS● Shibboleth● SAML 2.0● Custom

SAML (2.0)

● Complex● XML based● (Unhappy face here...)

SAML (2.0)

● Complex● XML based● (Unhappy face here...) But :● Really the only de-facto standard● Implemented / supported by :

○ Google○ Microsoft○ Oracle○ ...

Standards

● OpenID● OAuth● CAS● Shibboleth● SAML 2.0● Custom

Custom

● http://merbist.com/2012/04/04/building-and-implementing-a-single-sign-on-solution/

● http://blog.joshsoftware.com/2010/12/16/multiple-applications-with-devise-omniauth-and-single-sign-on/

No thanks...

Standards

● OpenID● OAuth● CAS● Shibboleth● SAML 2.0● Custom

CAS vs SAML 2.0

● Let's go for the interoperability....● And yes, I suck at XML

Standards

● OpenID● OAuth● CAS● Shibboleth● SAML 2.0● Custom

RSAML

● Wrapper library around SAML 2.0● Pure ruby● Most of the functionality required● Untouched for 2 years● Now maintained at github.com:rsaml/rsaml● Missing some functionality...

Server (codename "russo")

● The actual "server" thing● WIP (unreleased code yet)

Russo

● Rails 3 engine● Reeeeeaaally KISS● Actually HTTP to SAML 2.0 library● SAML 2.0 logic in RSAML● No actual auth logic inside :

○ Do it on the mounted app○ Use OmniAuth!!!

Russo

● Status : Core functionality should be there during this week

● Use cases : Pretty open since most of the functionality is done on the mounted app

● Learning curve : Pretty high - understanding SAML is required

Why this presentation???

Please help!!! :) ● Finish up RSAML

○ XML Signing○ Unimplemented features

● Complete Russo

○ Single Log Out○ Support for other use cases○ Documentation