The intended audience for this document is appliance and software product vendors. The background is we’d like appliance vendors to support Single Sign On mechanisms natively.
SSO? Yes, we already support LDAP and Active Directory against which to authenticate logins to our appliance.
This is shared sign on, not true single sign on. Users visiting shared sign on protected sites enter the same credentials in each site to access each facility in turn. Although this is better than having many passwords to remember, the more you convince your users it’s ok to type their credentials into multiple web interfaces, the more exposed they are to two threats
- They are more likely to eventually be successfully phished by a request for them to enter their credentials in a site.
- A single compromised site/appliance or site admin can harvest login credentials and use them elsewhere in your organisation.
Those sound like rhetorical issues. What are you proposing?
The user visits your site, your site redirects to an (external to your appliance) authentication portal, the user successfully authenticates and your site then receives the user plus a cryptographic token. If the user visits any other SSO enabled site, then that token already exists, so no login is needed, they seamlessly access the next site without any login credentials using the token.
The appliance/site never sees the user login credentials themselves and the authentication portal is always the same site.
A truly SSO site would have the user log in in the morning, and then their mail client, web browser and other applications don’t need a password entered as they all use the SSO authentication as the token.
Yeah, that sounds complicated to implement? Maybe we should talk about managing expectations…
It’s not any more complicated than your existing modules. As an appliance vendor, where you have your existing LDAP and Active Directory authentication/authorisation modules, you’d add a third, the packages for common platforms are prebuilt, there’s a little configuration, it’s not a big deal. You could use Webauth with LDAP or you could use Shibboleth.
As an example, if your product is using Apache under the hood, you could install the webauth authentication module along aside your existing authentication modules and with a minor amount of system configuration you will have $REMOTE_USER value available to your application as per normal, once the user authenticates. Then use LDAP to get group/authorisation details.
If you use the Shibboleth based SSO method, then you don’t need LDAP for group/authorisation information as the details will be appended as user attributes in the information provided to the application by the authentication module. Shibboleth is using SAML, it’s fairly straight forward if you’ve already built the ability into your product to use LDAP and Active Directory.
OK. You’re the only site that’s asked for this though so it sounds pretty site specific?
Firstly this is using technology used by multiple other universities, it’s not unique to our site, and no doubt more sites would use it if any appliance vendors supported the technologies involved (see also IPv6, which until recently took a long time for vendors to take seriously).
Secondly, to some degree feature requests are self-selecting – potential customers look up vendors products, see that they don’t support the technologies they need, and then go off to create a solution or workaround without contacting the vendor.
Our existing sites that have implemented our product don’t seem too interested
Mentally put yourself in the shoes of your customer
They have just implemented your product, it’s deployed and working. They are not likely to want to suddenly change the authorisation and authentication. For a complex environment this would typically only come about from service review and replacement. In laypersons terms – if it isn’t broken (already deployed and working), customers won’t typically attempt to fix it, especially something as fundamental as the authentication/authorisation mechanism.
None of our competitors offer this either so we don’t see that we have to match them
If you are the first and only vendor to support Single sign on, then over time word will spread and you will be the known appliance vendor in your niche that Single Sign On capable sites go to. They will overlook minor flaws because you support this key feature.
So this is something you want to implement? Sounds a bit like pie in the sky. Has anyone at all got it working?
This is already implemented and working site wide for many years. The only exceptions come when we’re forced to use a vendor’s product that has no facility for apache authentication modules, or built in support for either Webauth or Shibboleth.
Other sites using this technology include any site using Stanford Webauth or Shibboleth
What’s the bottom line?
If you support this feature, you will gain more customers and so earn more money in the long term. Customers (new and existing) will be happier because they have the option of deploying a new or integrating an existing Single Sign On site-wide system that includes your product.
I’ve lost count of the number of patches we maintain locally which effectively do the “supporting the REMOTE_USER environment variable” step. Some such patches are accepted ‘upstream’, but not all. Annoyingly, it’s usually a tiny patch!
A good summary of the conversation many of us have had. I would like to add that even small steps can be taken, which still deliver on the SSO promise…
For example, supporting the REMOTE_USER environment variable or the X-REMOTE_USER HTTP header in a product, to bypass its local login system, should be relatively easy.
Yet with this change the product vendor is now able to proudly say “we support REMOTE_USER so you can use whatever AuthN mechanism you like”. The customer is usually pretty happy at this point to do the rest of the work (Webauth frontend, or whatever).
Even I find terms like Shibboleth and SAML quite daunting, and have trouble explaining them to colleagues. But what I describe above is easy to grasp and immediately opens the door to SSO; everyone can get value from that.