Scribd Logo
Upload

Welcome to Scribd!

  • 684 views

    CAS - Jak Zaimplementować Single Sign-On W Swoim Serwisie?

    Uploaded by

    Konrad Hałas
    Facebook uses delayed single sign-off: first cookie is long lived and keeps the user session Second cookie required to perform API calls is short lived and needs to be refreshed using the first cookie off from Facebook deletes both cookies Signing CAS 2 CAS Jasig redirect check token yes marek no FEATURES Centralized Subsequent Easy - all passwords are stored in one place logins can happen without user interaction to implement.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    CAS - Jak Zaimplementować Single Sign-On W Swoim Serwisie?

    Uploaded by

    Konrad Hałas
    684 views65 pages
    Facebook uses delayed single sign-off: first cookie is long lived and keeps the user session Second cookie required to perform API calls is short lived and needs to be refreshed using the first cookie off from Facebook deletes both cookies Signing CAS 2 CAS Jasig redirect check token yes marek no FEATURES Centralized Subsequent Easy - all passwords are stored in one place logins can happen without user interaction to implement.

    Original Description:

    Original Title

    CAS - jak zaimplementować single sign-on w swoim serwisie?

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Facebook uses delayed single sign-off: first cookie is long lived and keeps the user session Second cookie required to perform API calls is short lived and needs to be refreshed using the first cookie off from Facebook deletes both cookies Signing CAS 2 CAS Jasig redirect check token yes marek no FEATURES Centralized Subsequent Easy - all passwords are stored in one place logins can happen without user interaction to implement.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    684 views65 pages

    CAS - Jak Zaimplementować Single Sign-On W Swoim Serwisie?

    Uploaded by

    Konrad Hałas
    Facebook uses delayed single sign-off: first cookie is long lived and keeps the user session Second cookie required to perform API calls is short lived and needs to be refreshed using the first cookie off from Facebook deletes both cookies Signing CAS 2 CAS Jasig redirect check token yes marek no FEATURES Centralized Subsequent Easy - all passwords are stored in one place logins can happen without user interaction to implement.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 65

    MAREK STPNIOWSKI

    @mstepniowski

    SINGLE SIGN-ON

    Platforma Redakcyjna
    redakcja.wolnelektury.pl

    Redmine - zarzdzanie projektami


    redmine.nowoczesnapolska.org.pl

    Platforma Redakcyjna
    redakcja.wolnelektury.pl

    Redmine - zarzdzanie projektami


    redmine.nowoczesnapolska.org.pl

    Wolne Lektury
    wolnelektury.pl

    Wolne Podrczniki
    wiki.wolnepodreczniki.pl

    Blog
    nowoczesnapolska.org.pl

    Kerberos LDAP Active

    Directory

    We dont need no stinkin protocols!

    CAS OpenID OAuth

    CAS
    Jasig

    redirect

    Login: ________ Pass: ________

    Login: marek Pass: ********

    redirect (with token)

    check token

    yes marek

    no

    FEATURES

    Centralized Subsequent Easy

    - all passwords are stored in one place logins can happen without user interaction

    to implement

    GATEWAY AUTH

    (accessing public webpage)

    GATEWAY AUTH

    redirect

    GATEWAY AUTH

    redirect (with token) Note We dont show the login form, even if the user is not logged in

    GATEWAY AUTH

    check token

    GATEWAY AUTH

    yes marek

    no

    GATEWAY AUTH

    If authentication was succesful serve the modied page

    JAVASCRIPT AUTH

    SINGLE SIGN-OFF

    SINGLE SIGN-OFF

    Sign off

    SINGLE SIGN-OFF
    But... It doesnt scale!

    Facebook uses delayed single sign-off:


    First

    cookie is long lived and keeps the user session

    Second

    cookie required to perform API calls is short lived and needs to be refreshed using the rst cookie off from Facebook deletes both cookies

    Signing

    CAS 2.0

    <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>marek</cas:user> </cas:authenticationSuccess> </cas:serviceResponse>

    Oh hai, XML!
    <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code="INVALID_TICKET"> Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure> </cas:serviceResponse>

    <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>marek</cas:user> <cas:proxyGrantingTicket> PGTIOU-84678-8a9d... </cas:proxyGrantingTicket> </cas:authenticationSuccess> </cas:serviceResponse>

    Oh hai, XML!
    <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code="INVALID_TICKET"> Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure> </cas:serviceResponse>

    <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>marek</cas:user> <cas:proxyGrantingTicket> PGTIOU-84678-8a9d... </cas:proxyGrantingTicket> <fullName>Marek Stpniowski</fullName> <isAdmin>yes<isAdmin> </cas:authenticationSuccess> </cas:serviceResponse>

    Oh hai, XML!
    <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code="INVALID_TICKET"> Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized </cas:authenticationFailure> </cas:serviceResponse>

    CAS 3.0

    STUCK IN A LIMBO
    Adds attribute exchange (most clients implement it as an extension of 2.0)

    Django

    https://github.com/zuber/django-cas-provider https://github.com/zuber/django-cas-consumer
    Python

    https://wiki.jasig.org/display/CASC/Pycas
    Ruby

    http://code.google.com/p/rubycas-server/ http://code.google.com/p/rubycas-client/ +many more

    The simplest single sign-on solution available

    Django

    https://github.com/zuber/django-cas-provider https://github.com/zuber/django-cas-consumer
    Python

    https://wiki.jasig.org/display/CASC/Pycas

    OpenID: ________

    OpenID: stepniowski.com

    stepniowski.com

    redirect

    stepniowski.com

    Login: ________ Pass: ________

    stepniowski.com

    Login: marek Pass: ********

    stepniowski.com redirect (with token)

    stepniowski.com

    check token

    stepniowski.com

    yes|no

    stepniowski.com

    FEATURES

    Strangely similar to CAS

    FEATURES

    Decentralized Single Hard

    - you dont need to store passwords at all

    sign-on but not single sign-in to implement - delegation requires an HTML parser

    openid.sreg

    openid.ax

    2.0

    Django

    https://github.com/omab/django-social-auth
    Python

    https://github.com/openid/python-openid
    Ruby

    https://github.com/openid/ruby-openid

    +many more

    COMPARISON
    CAS
    Centralized Single Easy

    OpenID
    Decentralized Only Hard

    sign-on and sign-in

    single sign-on to implement

    to implement

    Attribute Single

    exchange (CAS 3.0) openid.sreg and openid.ax


    Single

    sign-off authentication

    sign-off extensions

    Gateway

    Browser

    ASK FOR IT
    And I will create a separate presentation

    MAREK STPNIOWSKI
    @mstepniowski

    WERE HIRING!
    http://www.setjam.com/jobs/

    DJANGOPIWO
    Warsaw SetJam HQ Wednesday August 24th @mstepniowski @marcink ^marcinkaszynski

    You might also like