Skip to content

Instantly share code, notes, and snippets.

@ryanhanwu

ryanhanwu/sso.md

Last active June 4, 2016 21:04
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save ryanhanwu/8bb3b3e180cc76fec22f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save ryanhanwu/8bb3b3e180cc76fec22f to your computer and use it in GitHub Desktop.
Download ZIP
Hello!
Raw
sso.md

SSO Knowledge Sharing

What is HTTP ?

  • Client: Browsers
  • Server: Web server
Note left of Client: Preparing Material
Client->Server: Send Request Message
Server-->Server: Processing
Server-->Client: Send Response Message
Note left of Client: Display Data

What's inside a Request / Response message ?

  • Headers
    • Options and metadata
  • Body
    • Content

Request

Header: POST /login HTTP/1.1 Host: www.edlab.edu Content-Type: application/json

Body: { username: "ryan", password: "mypwd" }

Response

Header: HTTP/1.1 200 OK Date: Mon, 23 May 2005 22:38:34 GMT Content-Type: text/html

Body: <html> <head> <title>Welcome Ryan</title> </head> <body>This is Cool </body> </html>

What's Stateless?

Client->Server: Hi, This is Ryan
Server-->Client: Hello, Ryan

Client->Server: Hi again!
Server-->Client: Have we met?

Cookie

Client->Server: Hi, This is Ryan
Server-->Client: Hello, Ryan [Cookie No.135]
Client->Client: Save Cookie
Client->Server: Hi, again [Cookie No.135]
Server-->Client: Hi Ryan, Good to see you again

SSO - Single Sign On

Ideal

Client->nlt.com: Hi, This is Ryan
nlt.com-->Client: Hello, Ryan [Cookie No.135]
Client->Client: Save Cookie
Client->vialogue.com: Hi, again [Cookie No.135]
vialogue.com-->Client: Hi Ryan, Good to see you again

Actual

Client->nlt.com: Hi, This is Ryan
nlt.com-->Client: Hello, Ryan [Cookie No.135]
Client->Client: Save Cookie
Client->vialogue.com: Hi, again []
vialogue.com-->Client: Have we met?

Why?

  • Cookie Scope - Domain + Path

Actual Deatail

Client->nlt.com: Hi, This is Ryan
nlt.com-->Client: Hello, Ryan [Cookie No.135]
Note left of nlt.com: This cookie is for nlt.com/
Client->Client: Save Cookie - For nlt.com
Client->vialogue.com: Hi, again []
vialogue.com-->Client: Have we met?

How Jasig CAS solve the problem?

First Time Login NLT.com

Client->nlt.com: Hi, This is Ryan
nlt.com-->>Client: I don't know who you are, redirect you to SSO
Note over Client: Redirect 1
Note left of Client: Redirect 2
Note right of Client: Redirect 3
Client->>sso.edu:  Hi, This is Ryan
sso.edu-->Client: Please Typein your username and password
Client->sso.edu: They're ryan and mypwd
sso.edu-->Client: [Cookie No.500 - sso.edu] + [Ticket 5]
Note over Client: Redirect 2
Client->>nlt.com:  Hi, This is Ryan [Ticket 5]
nlt.com->>sso.edu: Is this ticket good? [Ticket 5]
sso.edu-->nlt.com: Yes, its good
nlt.com-->Client: Hello Ryan, Nice to meet you

First Time Login Vialogue.com

Client->vialogue.com: Hi, This is Ryan
vialogue.com-->>Client: I don't know who you are, lets ask SSO
Note over Client: Redirect 1
Client->>sso.edu: Ryan wants to login [Cookie No.500 - sso.edu]
sso.edu-->Client: [Cookie No.500 - sso.edu] + [Ticket 7]
Note over Client: Redirect 2
Client->vialogue.com:  Hi, This is Ryan [Ticket 7]
vialogue.com->>sso.edu: Is this ticket good? [Ticket 7]
sso.edu-->vialogue.com: Yes, its good
vialogue.com-->Client: Hello Ryan, Nice to meet you

How we improve it?

First Time Login NLT.com

Client->nlt.com: Hi
Client->nlt.com[sso.edu]: Hi, This is Ryan and Pwd
nlt.com-->Client: Unlogin Page
nlt.com[sso.edu]->sso.edu: Let me check
sso.edu-->nlt.com[sso.edu]: He is good
nlt.com[sso.edu]-->Client: [Cookie No.500 - sso.edu] + [Ticket 8]
Note over Client: Refresh
Client->>nlt.com:  Hi, This is Ryan [Ticket 8]
nlt.com->>nlt.com[sso.edu]: Is this ticket good? [Ticket 8]
nlt.com[sso.edu]->sso.edu: Let me check
sso.edu-->nlt.com[sso.edu]: He is good
nlt.com[sso.edu]-->nlt.com: Yes, its good
nlt.com-->Client: Hello Ryan, Nice to meet you

Client->vialogue.com: Hi
Client->vialogue.com[sso.edu]: Hi [Cookie No.500 - sso.edu]
vialogue.com-->Client: Unlogin Page
vialogue.com[sso.edu]->sso.edu: Let me check
sso.edu-->vialogue.com[sso.edu]: He is Ryan
vialogue.com[sso.edu]-->>Client: Oh you're is Ryan [Ticket 15]
Note over Client: Refresh
Client->vialogue.com:  Hi, This is Ryan [Ticket 15]
vialogue.com->>vialogue.com[sso.edu]: Is this ticket good? [Ticket 15]
vialogue.com[sso.edu]->sso.edu: Let me check
sso.edu-->vialogue.com[sso.edu]: He is Good
vialogue.com[sso.edu]-->vialogue.com: Yes, its good
vialogue.com-->Client: Hello Ryan, Nice to meet you

What have we done? And what's the issue?

sso.edu - apps-edlab-cas

  • This is our Custom API + CAS Sever
    • Because it doesn't support the iframe way
    • The APIs are not documented well and constructed
    • We're using Java Servlet and JSP to do this

applications[sso.edu] - app-django-cas

  • This is the iFrame for applications (Django backend plus JavaScript frontend)

Other pages like forget password - apps-edlab-identity

  • This is a Django application as well

What do we want?

  • Clean CAS Server
    • Dockerized
    • Our-of-box open source - Move out the customized API code from CAS server
  • Auto sign-in / out
  • Better customization of account pages
    • People should be able to update it easily
  • More features
    • Profile features
    • Third party signup
    • OpenID Support

What should we do next?

Approach 1 -Using current CAS

Bootstrap Cost: Operation Cost: Future-friendly:

Approach 2 - Upgarde to latest CAS

Bootstrap Cost: Operation Cost: Future-friendly: Not Sure

Approach 3 - Create our own SSO Solution

Bootstrap Cost: Operation Cost: Future-friendly:

The Future

enter image description here

Next

  • Dockerize CAS 4
  • Build our express project on top of it
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment