single sign on in ruby - enterprise ready!
TRANSCRIPT
Single Sign OnEnterprizzzey ready!
Nikos Dimitrakopoulos | @nikosd
Single Sign On (really)
● Centralized (almost) authentication● Login once - be logged-in in multiple
services● More than just "no password required"● Single Log Out● Actual "authenticator" can be an outsider
(Facebook, Twitter, or whatever...)
shamelessy stolen from http://merbist.com/2012/04/04/building-and-implementing-a-single-sign-on-solution/
Additional specs
● KISS (reaaaaally simple)● DRY● Modular● Extensible● Ruby!
Components
● Standard● Ruby implementation for standard● An actual *abstract* server
Standards
● OpenID● OAuth● CAS● Shibboleth● SAML● Custom
OpenID
● Decentralization of authentication● Not about Single Sign On
Standards
● OpenID● OAuth● CAS● Shibboleth● SAML● Custom
OAuth
● Authorization ● NOT authentication
Standards
● OpenID● OAuth● CAS● Shibboleth● SAML● Custom
CAS
● Not bad...● With a lot of free implementations :
○ RubyCAS-Server○ Jasig CAS (Java)○ ...○
Standards
● OpenID● OAuth● CAS● Shibboleth● SAML● Custom
Shibboleth
● Actually got integrated in SAML 2.0...
Standards
● OpenID● OAuth● CAS● Shibboleth● SAML 2.0● Custom
SAML (2.0)
● Complex● XML based● (Unhappy face here...)
SAML (2.0)
● Complex● XML based● (Unhappy face here...) But :● Really the only de-facto standard● Implemented / supported by :
○ Google○ Microsoft○ Oracle○ ...
Standards
● OpenID● OAuth● CAS● Shibboleth● SAML 2.0● Custom
Custom
● http://merbist.com/2012/04/04/building-and-implementing-a-single-sign-on-solution/
● http://blog.joshsoftware.com/2010/12/16/multiple-applications-with-devise-omniauth-and-single-sign-on/
No thanks...
Standards
● OpenID● OAuth● CAS● Shibboleth● SAML 2.0● Custom
CAS vs SAML 2.0
● Let's go for the interoperability....● And yes, I suck at XML
Standards
● OpenID● OAuth● CAS● Shibboleth● SAML 2.0● Custom
RSAML
● Wrapper library around SAML 2.0● Pure ruby● Most of the functionality required● Untouched for 2 years● Now maintained at github.com:rsaml/rsaml● Missing some functionality...
Server (codename "russo")
● The actual "server" thing● WIP (unreleased code yet)
Russo
● Rails 3 engine● Reeeeeaaally KISS● Actually HTTP to SAML 2.0 library● SAML 2.0 logic in RSAML● No actual auth logic inside :
○ Do it on the mounted app○ Use OmniAuth!!!
Russo
● Status : Core functionality should be there during this week
● Use cases : Pretty open since most of the functionality is done on the mounted app
● Learning curve : Pretty high - understanding SAML is required
Why this presentation???
Please help!!! :) ● Finish up RSAML
○ XML Signing○ Unimplemented features
● Complete Russo
○ Single Log Out○ Support for other use cases○ Documentation