I'd like to know more about the
different ways of solving Single
Sign-On and their pros and cons. Have you worked with one particular solution, tell me what's good about it and tell me what the limitations or suboptimal parts are.Below
are the details of what I'd like to
know, or don't understand.
SSO is a huge topic, as listed in the wikipedia. The more I learn the more questions I have.
First of all, I don't understand the need for token verifications of CAS, what is it good for?
Is it more secure? I guess it's vulnerable to man-in-the-middle attack like any. Should clients also use ssl?
Let's get real, this is our need: Automaticaly recognize/sign-in user if already logged in at one of our apps.
- my-php-app.com
- my-java-app.com
- my-ruby-app.com
(we have many webapps, written in different languages)
We want (to keep) our own authentication rules and users store, but might add some Oauth2 provider, as facebook-connect. We want it dead simple for the users and simple for developers using it.
What would you do?
- CAS?
- Openid? Can I have centralized authentication with it?
- Other? Or a server with OAuth?
On the client side, would you use an iframe, like lightbox, to show the redirected page? Why/Why not?
Yet another SSO related question: Saml is often (wrongly?) mixed into the SSO discussions – do I understand if I say that
a saml implementation would not provide
sso (autologin) when pointing the
browser to www.yetanother-myapp.com?
Some related SO questions I've studied:
- SSO with CAS or OAuth? – His need description is not what I want, he describes CAS…
- OpenID as a Single Sign On option? – Well, I'm not sure what I learned from it.
Thanks for educating me!
Best Answer
Oauth is designed to authenticate application to let them act in the name of a user. For example a twitter client may post tweets with the account of a user. It can be used for single sign on as Facebook shows, but this requires a bit of additional work.
Comparing CAS and OpenID
CAS is a centralized system with one account authority. OpenID is a distributed system where basically anyone can setup an identity provider. Of course you can limit your consumer to only accept your own identity provider.
OpenID has two (incompatible) standards to provide additional attributes about the account, which are supported more or less by the common libraries. In the standard setup CAS only provides the username. While CAS does support attribute exchange in theory, at the moment only the PHP client supports it.
Both OpenID and CAS can do automatic login. If the user is already logged in, the browser will be redirected back to your application immediately. In a simple setup the identity provider, however, will display a login page, if the user is not logged in. So if you want to allow anonymous access to your side, this will require people to click a dedicated login link.
Luckily both OpenID and CAS allow a transparent login attempt. In this mode, the login form is not shown. The browser is redirected back immediately with or without authentication information. In other words: You can redirect all new users (without a session) to the identity provider as soon as they visit your site. There is a nice diagram explaining this in detail. CAS calls it "gateway mode" and it is achieved by appending gateway=true to the login URL. In OpenID it is called "immediate mode" and the URL parameter is openid.mode=checkid_immediate
CAS supports single sign out. OpenID does not.
My personal experience is that CAS is very easy to set up and very reliable with high quality libraries for all common programming languages. OpenID has many tiny incompatibilities as it is a much more complex system. OpenID, however, allows the usage of Google accounts.
Answers
Both OpenID and CAS require you to let the identify provider verify the provided token. Otherwise an attacker may be able to create his own token or use a token that was created by a user before he logged out.
Yes.
A full screen redirect is the most simple thing to do. I would start with that to get it working. Many application require a reload of the current page after login anyway in order to show parts that are only visible to logged in users.
An Iframe has the issue that you need to get rid of it once the login was completed. For CAS there is a tutorial on how to directly embed the CAS login form into the HTML code of the application. Another alternative is to show a pop up window like Facebook Connect does.