I did a Webinar for Zend on March 31st, 2011 about Single Sign On. In this presentation I covered openid, oauth and saml as suitable implementations for single sign on to web applications.

1. Building an SSO platform
Ivo Jansch (@ijansch) - Egeniq
March 31, 2011 - Zend Webinar
Thursday, March 31, 2011

2. About Egeniq
Startup
Mobile
Tech
Knowledge
Geeks
Development
Thursday, March 31, 2011

3. About Me
@ijansch
Developer
Author
Entreprenerd
PHP
Thursday, March 31, 2011

4. Single Sign On
Why do we need it?
Thursday, March 31, 2011

5. We use many applications
Your Your other
corporate corporate
application application
Thursday, March 31, 2011

6. Across devices and locations
Your Your other
corporate corporate
application application
Thursday, March 31, 2011

7. A quick poll
Thursday, March 31, 2011

8. Level 0 - One Password
To Rule Them All
Thursday, March 31, 2011

9. 1 password to rule them all
Your Your other
corporate corporate
application application
Thursday, March 31, 2011

10. Level 1 - Shared Identity
Using a single authentication backend for apps
Thursday, March 31, 2011

11. Shared Identity
LDAP
Server
Your Your other
corporate corporate
application application
Thursday, March 31, 2011

12. Level 2 - OpenID
Using OpenID for external Identity Management
Thursday, March 31, 2011

13. OpenID Flow
OpenID OpenID
Consumer Provider
Thursday, March 31, 2011

14. OpenID Demo
OpenID
Consumer
login.php
OpenID
Provider
consume
index.php
.php
Thursday, March 31, 2011

15. Protecting the secret
Thursday, March 31, 2011

16. Delegate to OpenID provider
Thursday, March 31, 2011

17. Consume the response
Thursday, March 31, 2011

18. Caveats
OpenID providers hesitant to be OpenID consumers
No trust establishment between consumer and
provider
Thursday, March 31, 2011

19. Level 3 - OAuth
Using OAuth for external IDM and authorization
Thursday, March 31, 2011

20. OAuth Flow
OAuth OAuth
Consumer Provider
Thursday, March 31, 2011

21. Landing adjusted for OAuth
Thursday, March 31, 2011

22. OAuth Configuration
Thursday, March 31, 2011

23. Delegate auth to Twitter
Thursday, March 31, 2011

24. Consuming the response
Thursday, March 31, 2011

25. Level 4 - SAML
Creating our own Identity Provider
Thursday, March 31, 2011

26. SAML
Security Assertion Markup Language
XML standard by OASIS
Assertions contain:
Proof of Identity
Attributes
Supports XML signatures and encryption
Thursday, March 31, 2011

27. SAML Flow Auth
Backend
(LDAP, ...)
Service Identity
Provider Provider
Thursday, March 31, 2011

28. SimpleSAMLphp Auth
Backend
(LDAP, ...)
Identity Provider
Simple
Service
SAML
Provider SimpleSAMLPHP
PHP
Thursday, March 31, 2011

29. IDP SimpleSAMLphp setup
Thursday, March 31, 2011

30. IDP Auth Source Configuration
Thursday, March 31, 2011

31. IDP Hosted Configuration
Thursday, March 31, 2011

32. IDP Remote Configuration
Thursday, March 31, 2011

33. IDP Virtual Host Apache Config
Thursday, March 31, 2011

34. Testing the IDP
Thursday, March 31, 2011

35. SP SimpleSAMLphp setup
Thursday, March 31, 2011

36. SP Auth Source Configuration
Thursday, March 31, 2011

37. SP Remote Configuration
Thursday, March 31, 2011

38. Back to our landing page
Thursday, March 31, 2011

39. Delegate auth to the IDP
Thursday, March 31, 2011

40. Integrating 3d party apps
Simplesamlphp is easy to integrate
Thursday, March 31, 2011

41. Wordpress
Plugin:
http://wordpress.org/extend/plugins/simplesamlphp-authentication/
Thursday, March 31, 2011

42. MediaWiki
Plugin:
http://www.mediawiki.org/wiki/Extension:SAMLAuth
Thursday, March 31, 2011

43. SugarCRM
Plugin: didn’t work
Problem: auth structure
Solution: hacking the source
Options:
Contact me if you need to get SugarCRM to do
SSO :-)
Wait for SugarCRM 6.1, it contains a working SAML
plugin (/via @smalyshev)
Thursday, March 31, 2011

44. Google Apps
Requires Premier or Education Edition
Configure SAML endpoint => Done!
Docs:
http://code.google.com/googleapps/domain/sso/
saml_reference_implementation.html
Thursday, March 31, 2011

45. Google Apps
Thursday, March 31, 2011

46. Making apps SSO ready
Application Auth Plugin
Start
Logged
in?
Yes No
Show Login
Authenticate
Site Form
Thursday, March 31, 2011

47. Making apps SSO ready
Application Auth Plugin
Start
Logged
in?
Yes No
Show Login
Authenticate
Site Form
Thursday, March 31, 2011

48. Making apps SSO ready
Application Auth Plugin
Start Logged
in?
Yes
No
Show Login
Site Form
Authenticate
Thursday, March 31, 2011

49. Making apps SSO ready
Application Auth Plugin
Start Logged
in?
No
Yes
Login
Form
Show Login
Site Form
Authenticate
Thursday, March 31, 2011

50. Conclusion
What should you take away from this talk?
Thursday, March 31, 2011

51. In your next project...
You will NOT create more userids !!
You WILL use standard protocols !!
Thursday, March 31, 2011

52. Thank You
ivo@egeniq.com http://www.egeniq.com
@ijansch @egeniq
Thursday, March 31, 2011

53. Credits
Pictures used in this presentation are creative commons attribution licensed pictures.
Here are the owners and the URLS where the originals can be found:
‘Multiple Padlock Farm Gate’ by Mike Baird - http://www.flickr.com/photos/mikebaird/2354116406/
‘Love Locks’ by James Manners - http://www.flickr.com/photos/jmanners/443421045/
‘Seguridad’ by Juan J. Martinez - http://www.flickr.com/photos/reidrac/4696900602/
‘Hotel Keys by Henri Bergius - http://www.flickr.com/photos/bergie/3468886680/
‘OAuth Shiny’ by Chris Messina - http://www.flickr.com/photos/factoryjoe/3343062926/
‘Take a number please’ by Andres Rueda - http://www.flickr.com/photos/andresrueda/3259487071/
’38/365 Puzzled’ by Mykl Roventine - http://www.flickr.com/photos/myklroventine/3261364899/
‘Visiting Portage’ by Jeremy Bronson - http://www.flickr.com/photos/jbrons/4444017497/
‘_dsc8037’ by Sergey Vladimirov - http://www.flickr.com/photos/vlsergey/4138735474/
Application logo’s and other icons have been used under the assumption that use of them in this context is
considered fair use.
Thursday, March 31, 2011