Q: How would you create a SSO? What would you do about authentication (separate app or same as sso) and user store?
Background info:
We have 40+ php apps, java apps and
Ruby apps.
Currently, we have a custom
SSO+authentication solution. It's an
app written in php that is now used as
SSO, while supporting
email/username/phone-number + password
as authentication. It works, but was
built for a few apps only, not
originally meant to be the SSO -
solution. It doesn't have a usable view, every app create their own login/register forms and use the API. They share context and we'd like a more universal design.
Now we know want to support Oauth and
openid solutions, as facebook connect,
google and more, (or do we really?), in addition to
existing authentications. We can
expand existing php-solution, but we
are considering alternatives.
If you were to do all this in Ruby, what would you do?
Some additional info:
All users exist in SSO, today.
The company does aquire other companies/systems at times, having their own users. Would you migrate or create some kind of mapper?
Customers in a Microsoft CRM, but I consider this unrelated. Or do I?
I've shallowly looked at RubyCAS and ClassyCAS, and don't know if they are suitable. Is CAS the way to go?
Would you keep going with php? What would you use?
As you see, I have a lot of questions. What would you suggest?
I a previous job we used Jasig CAS for SSO (several apps in Java and Python). After getting over some quirks in the configuration and my dislike of all things Java, it actually worked pretty well. At the time I found the wiki to be a valuable resource, but things might have changed in the last year.
Authentication was handled via a separate app (custom) using an OpenLDAP directory that was preinitialized with a script that got user info out of an AD server.
Regarding the actual server you might actually want to use the Jasig one, IIRC it's the reference implementation and is easy to customize via a Maven overlay.
Ruby-cas FTW.
Related
Using Laravel for PHP and DBMS. How do I make an app? (for social networking).
I have googled most of the things but I am really an Amateur and need help.
There are many kinds of apps, so before you start to work on your app, you need to carefully determine what exactly you need. You could write desktop apps for various operating systems, or native mobile apps, or hybrids, or a web application... You name it. Anyway, Laravel is the server-side and it should be as agnostic to the apps as possible. You need to create an API and handle the following things:
CRUD for the database
session (log in, log out, register, password change, user settings)
logical API functions
file transfer protocol usage
push notification (if needed)
As per your requirements, you will need to implement the server-side API in Laravel, which is a PHP-based framework and use an RDBMS, which could be MySQL, SQL Server, Oracle, or a NoSQL database, for instance MongoDB.
Before you implement any apps, you should have a proof-of-concept for the API. You should not invest too much time working out the details of the API, as when you are going to work on a real app, you will notice things to be changed anyway. The API should be accompanied by a playground for testing, maybe a very small app without design where you could send requests to the API. Or you can implement a WebSocket API to have a single, duplex connection. It is up to you.
As about how to write an API, there are many tutorials.
I'm currently developing an iOS app and have reached the point where I need to implement a server back-end in order to support the core functionality.The app is built in a way to store certain questions locally (Within the app) and pose the questions to the app user. I need to tweak it such that it retrieves the question from a remote server. Furthermore, the question will reside in a specific folder within the remote DB. So the app will have to fetch the questions from the appropriate folder based on user login.
I have zero server experience and am need of some advise as to where I should begin with this. I would like to know if there is a template spec for this kind of task. With a template spec, I can hire a programmer and talk intelligently. Please help!
Here is a number of solutions:
1) You can use other services that provide backend functionality with REST API (as #Niklas Hein mentioned), it calls BAAS - backend as a service, such as Parse (but Parse is closing his service in one year), BaasBox, etc.
2) You can use CloudKit. This is service created by Apple, where you can store app data in the cloud, with authorization, requests, admin panel, etc.
3) Create you own back end. Here is a large number of languages and web frameworks, so php is not the only one solution. Ruby on Rails, Python Django, NodeJS, and many others on your choice.
There are plenty of BAAS (Backend as a service) provider, like Parse or Firebase. You might want to have a look into them. (Although Parse is going to shut down.)
Another simple way is to look into PHP Laravel.
Laravel is a great Framework which makes it really easy to set up a backend.
Have a look at Laracast
I have two web apps running. One is a rails app which is the beef of the application, and the other is a wordpress app(for an online store).
My challenge is sharing login data/session data between the two apps. So If I log into the rails app, and then click the shopping tab, how do I transfer the user session over to the wordpress site?
Also Vice versa. If I am shopping on the wordpress site, and want to login to purchase items, how can I login via the rails app?
I believe there are single sign on plugins that can achieve this, but I have not found anything that is to specific on how to achieve this. For some reason wordpress is awfully terrible to develop around :(.
Are the 2 applications running on the same host? Same domain? Sharing database?
Sounds like your best option is some sort of authentication service, like one of the many OAuth authenticator services (Facebook, Twitter, etc.), or writing your own OAuth service.
Alternatively, if the 2 applications are small-scale and running on the same machine, it might be possible to modify the session handler for either the rails app or WordPress to use the other's session data. I suspect WordPress would be the easier of the two to modify, but I have bias toward PHP
Did a quick search and found this article about modifying Rails cookie sessions to use with PHP.
https://www.coffeepowered.net/2011/08/24/rails-cookie-sessions-and-php/
I also found this article which might be exactly what you're looking for?
http://code.tutsplus.com/tutorials/build-a-custom-api-to-connect-wordpress-with-ruby-on-rails--cms-21189
Unfortunately, I have never attempted this from either direction. But I am very familiar with WordPress, and believe it could be made to corporate with Rails sessions, given enough blood, sweat and tears.
Is there any way that I can integrate the UserCake user management system with MediaWiki? I want to link the accounts in each system so users can log into both with the same username and password.
There is no existing system to do this. You can create an extension for MediaWiki to do this without too much trouble. Basing it off an existing extension is probably a good starting point. By looking at AuthJoomla, AuthBugzilla and AuthSymfony you should get a good idea of how MediaWiki's authentication extension API operates. It's really just a matter of creating the class, getting it to call the relevant UC functions and then loading it as an extension into MW.
Having said that, UserCake seems unmaintained. It may be worth taking this opportunity to migrate your users to another authentication system. If you are using credentials between several applications you might want to look at something like LDAP.
I know that this is a really old question, but UserSpice is the fully PDO/OOP spiritual successor to UserCake and would probably be better equipped to handle this. It would take some modification, but it could be done.
May I recommend that you use other ways to secure you applications. Take a look at Windows Azure ACS that gives you security federation to Facebook, Google, Yahoo and more.
This allows you to focus on your application and not security protocols.
Azure ACS supports many different of protocols and works great with PHP as well as .Net based applications.
I did a quick search and found the http://www.mediawiki.org/wiki/Extension:OpenID that can use Azure ACS. (Access Control Services)
There are other alternatives to ACS such as Ping Identity and OpenSSO; But ACS is a cheap alternative to Ping.
I have three websites, that do three separate things, but I would like to implement single sign-on for users to access to all three sites. The sites do not share a db, and two are not in the same domain, also two are php based and one is an ror website.
Why not let them use OpenID or a Google ID? Then they don't have to have a separate login. Never having implemented it, I don't know any details, but I daresay there's a few around here at SO that have experience with it... I dunno though whether there's licensing involved with using Google ID or not. There's already enough sites with different logins, why not take this opportunity to save your users having to remember another username and password? Just my $0.02.
We have done the same with Central Authentication Service (http://www.jasig.org/cas) Rails has both CAS server and client
ruby CAS server is here (https://github.com/gunark/rubycas-server)
ruby CAS client is here (http://code.google.com/p/rubycas-client/)
and in theory CAS server and clients can be different languages (Like CAS server is ruby and CAS client is php vise versa...)
and also ruby CAS has a very helpful community through groups
hope this helps
cheers
sameera
I've looked into http://simplesamlphp.org/ before for true SSO. Got it up and running OK, though I've never used it in production. You can point it to an LDAP directory (like Active Directory), use a local user table or create your own plug in for it. For a working SAML SSO, it's pretty easy to implement (and it's free, which is always nice). SSO in any flavor can be tricky to implement though.... Good luck!