Published on February 21, 2014
SINGLE SIGN ON (SSO) * IN / With Drupal ** With Identity Management Services Presented In: Silicon Valley Drupal User Group When: Feb 19th, 2014 Disclaimer: Information and images used in this presentation is compilation of data from multiple sources (References). Recommendations and opinion shared in this presentation are personal to the presenter. SSO | Drupal | IDM
What is Single Sign On ? A session or user authentication process that allows a user to enter one name and password in order to access multiple applications. SSO | Drupal | IDM
Additional definition for SSO The process authenticates users for all the applications they have been given rights to and eliminates further login prompts when they switch applications during a particular session. SSO | Drupal | IDM
Additional definition for SSO As applications and resources support various authentication mechanisms, SSO internally translates and stores credentials for the different authentication mechanisms from those used for the initial authentication. SSO | Drupal | IDM
Two ways to think about it Users provide credentials only once per session, and then gain access to multiple services without having to sign in again during that session. Users provide same credentials for multiple services; they might have to login multiple times, but always using the same credentials. SSO | Drupal | IDM
The four popular configuration used for SSO Kerberos Based Smart card Based One-time Password Token (OTP) Integrated Windows Authentication SSO | Drupal | IDM
Kerberos Based SSO Enter Credentials Verify the user and get TGT from TGS Authentication Server Client Ticket Granting Server Store The TGT Send the Generated TGT Connect using the stored TGT Connect using the stored TGT Service Server 1 Connect using the stored TGT Service Server 2 …………………………………. AS - Authentication Server SS - Service Server TGS -Ticket Granting Server TGT - Ticket Granting Ticket SSO | Drupal | IDM Service Server N
SSO Scenarios • Corporate Login to Cloud Application • Cloud Login to Internal Application • Corporate Login to Internal Application • Corporate Login to Partner Application • Using Identity as a Service (IdaaS) Hub SSO | Drupal | IDM
Scenario 1: Corporate Login to Cloud Application Most commonly supported SSO scenario • A typical example of this is a user logging in with their Active Directory credentials and then using a Cloud application, such as Salesforce.com without being asked to re-authenticate. • In this scenario, the corporation hosts the Federation Server that enables SSO with Cloud applications based on standard protocols like SAML or OAuth. • Corporate Login to Cloud Application SSO has become so ubiquitous that virtually all SaaS providers support standards-based federated SSO. SSO | Drupal | IDM
Scenario 2: Cloud Login to Internal Application Also known as Social Media Login • Examples of commonly used Cloud Logins are Facebook, Google, Windows Live, Yahoo, Twitter, and so on. • A typical example of this is a user logging into a corporate SharePoint web site with their Facebook account. • A familiar, consumer-friendly model like this is easy to use and decreases support costs associated with a large consumer population. SSO | Drupal | IDM
Scenario 3: Corporate Login to Internal Application This scenario is often required by organizations as they acquire other companies but cannot create trusts between their Active Directory domains due to legal limitations imposed by differing localities, time constraints, or other internal policies. Best practice security architecture is to decouple authentication/authorization from within each application and to leverage centralized services for these functions. In this case, internal applications would be developed as “relying parties” that trust an internal corporate identity management system for authentication/ authorization decisions. SSO | Drupal | IDM
Flow For SSO Between Multiple Drupal Sites Check if logged in to master site Drupal Master Site User DB for Master Site Credentials Verified Subsite 1 Subsite 2 Successful login Attempt to Login User SSO | Drupal | IDM …………….. Subsite n
SSO Between Drupal & Non-Drupal Sites 1. Using an Identity Management Service 2. Custom Authentication Between Sites SSO | Drupal | IDM
Identity Management for Drupal (partial list) Module Reference Link (Drupal specific) Janrain Engage OAuth Connector OpenID Selector https://drupal.org/project/rpx 1422 26416 http://janrain.com/product/ https://drupal.org/project/oauthc onnector 5231 16504 https://drupal.org/project/openid https://code.google.com/p/openid_selector 680 8311 selector/ https://drupal.org/project/onelogi http://www.onelogin.com/product/sin n 5 46 gle-sign-on/ https://drupal.org/project/cas 7408 31435 https://drupal.org/project/gigya 325 21135 https://platform.gigya.com/ https://support.okta.com/entries/ 22230062-Okta-Drupal-moduleenabling-SSO-with-Okta-forDrupal not available not available http://www.okta.com/ OneLogin CAS Gigya OKTA Installs Downloads SSO | Drupal | IDM About IDM company
Custom Authentication The custom authentication between sites can be done using: 1. External Authentication Script 2. Session Check Script 3. Ticket Generation Script SSO | Drupal | IDM
External Authentication Script Works as follows: 1. User attempts to login to any of the site configured for SSO by providing username and password. 2. The username and password are verified against a common Database (preferably the Master Drupal DB). 3. Once the script validates the user with the Master DB the user is logged in to the requested Site. 4. Appropriate permission parameters are then checked by the script and the user is granted request to the specific resources. SSO | Drupal | IDM
Session Check Script Works as follows: 1. User requests access to any of the resources on the connected sites. 2. The script checks if the user is logged in to the master site. 3. If the user is logged in on the master site the user is succesfully logged in. 4. If the user is not logged in on the master site, the user is taken to the login page for the master site, once the user is logs in on the master site the script check is done again and the user is logged in on the other connected sites. SSO | Drupal | IDM
Ticket Generation Script Works as follows: 1. User requests access to any of the resources on the connected sites. 2. The Master DB is requested to generate ticket for the requesting access. 3. The user is validated and a session ticket is generated by the ticket generation server which is saved as a session parameter in the user’s browser . 4. The connected sites then use this ticket to verify the login for the user with the ticket generation server for the validity of the ticket. 5. Login request providing valid tickets are logged in automatically by the script. 6. The generated tickets are session specific and expire after the configured time. SSO | Drupal | IDM
Drupal Module: CAS (central authentication system) CAS 1. In its most simple use, CAS authenticates users and sends the user to the requested application with a ticket. The application is then responsible for authenticating the ticket (behind the scenes, with a tool like cURL) and automatically logging the user in if the ticket is valid. CAS can also proxy single sign-on. 2. URL: https://drupal.org/project/cas 3. Usage Statistics: https://drupal.org/project/usage/cas SSO | Drupal | IDM
Drupal Module: OAuth Connector OAuth Connector 1. It makes it possible to connect and sign in a Drupal user with accounts on most third party sites with OAuth APIs. It provides a UI for adding and editing specifications of OAuth APIs that the users should be able to connect to. It also provides exportability of those specifications. Is an implementation of the Connector module. 2. URL: https://drupal.org/project/oauthconnector 3. Usage Statistics: https://drupal.org/project/usage/oauthconnector SSO | Drupal | IDM
Drupal Module: LDAP SSO LDAP SSO 1. The LDAP Single Sign-On module provides an administrator with the ability to configure a Drupal site to use either NTLMSSP (e.g. seamless automatic login using LDAP / Active Directory credentials passed automatically by supported and properly configured browsers) or basic digest authentication as a fallback to authenticate Drupal users. The net effect is that either automatically, or by visiting a link, a user is authenticated and logged into a Drupal site without requiring the user to manually enter credentials on suitably configured installations. 2. URL: https://drupal.org/project/ldap_sso 3. Usage Statistics: https://drupal.org/project/usage/ldap_sso SSO | Drupal | IDM
Drupal Module: Bakery Bakery SSO 1. Bakery provides a "single sign-on" feature for Drupal based sites that are on the same second-level domain (i.e. example.com, subsite.example.com, subsite2.example.com). It could also provide support for any other website that implements the same web cookie, xmlrpc, and POST methods. 2. URL: https://drupal.org/project/bakery 3. Usage Statistics: https://drupal.org/project/usage/bakery SSO | Drupal | IDM
Drupal Module: Shibboleth Authentication Shibboleth Authentication 1. Provides user authentication with Shibboleth (both v1.3 and v2.0) as well as some authorization features (automatic role assignment based on Shibboleth attributes). 2. More Info: https://wiki.shibboleth.net/confluence/display/SHIB2/FlowsAndConfig 3. URL: https://drupal.org/project/shib_auth 4. Usage Statistics: https://drupal.org/project/usage/shib_auth SSO | Drupal | IDM
Drupal Module: Account Sync Account Sync 1. The account_sync module allows you to synchronize drupal user account data across multiple Drupal sites. It currently supports basic account information as well as the drupal core profile module. It also has very basic single sign-on support. This module uses XMLRPC to transmit data between sites when updates are made so there is no need to have your sites running on the same database, server, or on the same subdomain. 2. URL: https://drupal.org/project/account_sync 3. Usage Statistics: https://drupal.org/project/usage/account_sync SSO | Drupal | IDM
Drupal Module: Open ID SSO relying OpenID Single Sign On Relying Party 1. This module provides a simple single sign on solution based on OpenID and native in Drupal. It is the relying party counterpart for a server based on OpenID, related to OpenID Single Sign On Provider. You can set up a central provider (which ideally is another instance of Drupal) and a lot of another (Drupal) websites (so called relying parties). This way the users can login to every single relying party website using a centralized login provider where authentication is happening. 2. URL: https://drupal.org/project/openid_sso_relying 3. Usage Statistics: https://drupal.org/project/usage/openid_sso_relying SSO | Drupal | IDM
Drupal Module: Google Authentication Google Apps Authentication Google Apps provides a single sign on API that enables people to write applications that do user authentication against a local database, and then tell google that the user is authenticated. This modules implements the API in drupal. In other words, once properly setup, this module lets Google Apps instances authenticate against your drupal user database. URL : https://drupal.org/project/googleauth Usage Statistics :https://drupal.org/project/usage/googleauth SSO | Drupal | IDM
Thank You References: Presented By: • http://merbist.com/2012/04/04/building-andimplementing-a-single-sign-on-solution/ • http://www.authenticationworld.com/Single-Sign-OnAuthentication/101ThingsToKnowAboutSingleSignO n.pdf Name : Manish Harsh Drupal.org ID: Manish LinkedIn: www.linkedin.com/in/manishharsh/ • http://en.wikipedia.org/wiki/Single_sign-on • https://groups.drupal.org/node/182004 • http://drupal.stackexchange.com/questions/1758/ho w-drupal-org-single-sign-on-works • http://mauriziostorani.wordpress.com/2008/07/21/sin gle-sign-on-sso-concepts-methods-and-frameworks/ • http://scn.sap.com/thread/733802 Twitter Handle: @manishharsh SSO | Drupal | IDM
Agenda items: • Multiple SSO scenarios ( General, Non Drupal specific) • SSO within Drupal (5.x / 6.x / 7.x and same version) • SSO of Drupal and ...
... development and project management. Primarily in Drupal: ... Single Sign On In/with Drupal and Identity Management. ... • SSO within Drupal ...
miniOrange SAML 2.0 Single Sign On ... It supports authentication with Drupal, user management, ... Issues for SAML 2.0 Single Sign On for any Identity ...
Single Sign-On as defined on Wikipedia ... and is responsible of informing Drupal that a given users identity can ... editor role management;
Integrate Social Login to your Drupal website with LoginRadius ... provide Customer Identity Management. ... LoginRadius’ SSO Library in order to ...
ONEsite’s Single Sign-On solutions extend the benefits of identity management and ... Wordpress, Magento, Drupal and more. Use of Single Sign On can ...
Using OpenID Connect for Single Sign-On with Drupal. ... Both use the flexibility of OAuth2 to allow users to log in with their ... is an identity protocol ...
Single Sign-On Unified ... OneLogin Simplifies Identity and Access Management for a More ... Analysts Agree on OneLogin’s Proven Identity Access ...