adelton

Web Application Authentication

Jan Pazdziora

Developer Setup

Web Application

Browser

 

 

 

 

 

 

Web server

+ application

 

 

 

 

 

from __future__ import unicode_literals
from django.apps import AppConfig

class ActivityConfig(AppConfig):
    name = 'activity'

class ApplicationController < ActionController::Base
  include ApplicationShared

  force_ssl :if => :require_ssl?
<html>
<body>
<?php
  • Typical Web application ...

Authentication in Web Applications

Browser

 

 

 

 

 

 

Web server

+ application

 

 

 

 

 

users
groups
roles
class ApplicationController < ActionController::Base
  include ApplicationShared

  force_ssl :if => :require_ssl?
Logon form
Username: bob
Password: *********
[ Log In ]

credentials

submitted

application validates locally

  • Typical Web application authenticates
    users against local user list that it manages itself.

Authentication in Web Applications

Browser

 

 

 

 

 

 

Web server

+ application

 

 

 

 

 

users
groups
roles
class ApplicationController < ActionController::Base
  include ApplicationShared

  force_ssl :if => :require_ssl?
Authenticated content
for bob

session

created

  • Typical Web application authenticates
    users against local user list that it manages itself.

External Identity Sources

Browser

 

Web server

+ application

Identity Source:

FreeIPA/IdM,

Active Directory

LDAP, ...

Application is configured to trust the external identity source

Authentication against identity source

Proof of authentication

  • In large organisations, users are managed centrally.
  • Single sign-on is often strong requirement.

Protocols for External Authentication

Browser

 

Identity Source:

FreeIPA/IdM,

Active Directory

LDAP, ...

  • Kerberos, SAML, OpenID Connect, ...

Web server

+ application

Developing for External Authentication

  • How hard is it to make Web application ready for
    Kerberos, SAML, OpenID Connect, ..., ?
  • Not that hard if authentication front-end is used.
  • Application then just consumes authentication results.

Container-based Developer Setup

Client

with

browser

 

Web

Apache

authn

proxy

FreeIPA

+ SAML

   IdP

   Ipsilon

Example

Web

app

 

  • Based on FreeIPA container image.
  • Four-container setup built with one docker-compose build command.

Building the Developer Setup

Starting the Developer Setup

Client

with

browser

 

Web

Apache

authn

proxy

FreeIPA

+ SAML

   IdP

   Ipsilon

Example

Web

app

 

  • Started with one docker-compose up command.

Starting the Developer Setup

Authentication in the Developer Setup

Client

with

browser

 

Web

Apache

authn

proxy

FreeIPA

+ SAML

   IdP

   Ipsilon

Example

Web

app

 

  • Browser already configured for Kerberos.
  • Authentication via standard Apache HTTP Server modules.
  • Application consumes authentication results.

Using the Developer Setup

Using the Developer Setup with SAML

Client

with

browser

 

Web

Apache

authn

proxy

FreeIPA

+ SAML

   IdP

   Ipsilon

Example

Web

app

 

  • Configuration easily changed to SAML authentication.

Configuring for SAML

Application Deployment Modes

Client

with

browser

 

Web

Apache

authn

proxy

FreeIPA

+ SAML

   IdP

   Ipsilon

Example

Web app

  • Application can also run in the same container as the Apache HTTP Server (mod_wsgi).

Using the Setup for Development

Client

with

browser

 

Web

Apache

authn

proxy

FreeIPA

+ SAML

   IdP

   Ipsilon

Web

application

 

 

 

  • Application can also run on the host.
  • Or on completely different machine.
  • Instead of the provided example application, plug in the one you develop.

Container-based

Available at

pagure.io/webauthinfra

Web Application Authentication

Developer Setup