SlideShare una empresa de Scribd logo

Single sign on with TYPO3

Descargar como PPTX, PDF
T
tschikarski

Held at t3con12de (TYPO3 conference 2012, Stuttgart)

Tecnología
1 de 45
Single Sign On with TYPO3 – Case Studies Thomas Schikarski Irene Höppner Lea Schikarski
Irene Höppner Specialized in TYPO3 since 9 years Co-author of “TYPO3-Profihandbuch” and trainer of two TYPO3 DVD video trainings Senior developer with in2code GmbH in2code GmbH (http://www.in2code.de/) Formerly member of A.BE.ZET GmbH (which is now “elementare teilchen GmbH”)
Thomas Schikarski Experience in IT infrastructure and IT service management, incl. applications of cryptographic technology Experience with the SSO part of several TYPO3 projects Part-time freelancer
Lea Schikarski Crawling Running Swinging Drawing Expressing herself with signs Participation in: TYPO3camp Munich 2011, T3DD12, FLOW3 Experience 2012 (F3X), TYPO3camp Munich 2012, T3CON12DE
Outline Motivation and general aspects of SSO Real-world examples and lessons learned More things to take care of Summary
Why SSO? Users don‘t have to memorize / enter many passwords User management simplified (e.g. disabling access on all systems) Linked information (e.g. storing favorites of one system in another)
Levels of „Single Sign-On“ Level 1: sharing credentials – Username / password valid on > 1 systems – Synchronized password changes Level 2: + “single sign-on” – Logging on (and off) only once for all systems – Log on/off screens may be present in 1..all systems Level 3: + “seamless” – Log on takes place on system level
The Simple Case Log on / -off functionality is centralized on one system A valid session on one system is accepted by the other system The authenticating system may be separate or part of one of the application systems
or
SSO with TYPO3 CMS Protect your content as usual Use “auth services” to add authentication methods You always need a record in be_users/fe_users (but auth service can auto-import users)
Outline Motivation and general aspects of SSO Real-world examples and lessons learned More things to take care of Summary
Case 1: Seamless SSO in a Windows Domain Customer: Call center with ~200 employees TYPO3: Intranet solution (knowledge base to be used by call agents) User-specific data was stored (e.g. news alerts, list of unread news) Logon-System: Windows Active Directory
Case 1: Special challenges Customer required to use a Windows machine  Apache on Windows Seamless integration using mod_auth_sspi Retrieving user information using LDAP extensions Lesson learned: Internet Explorer sometimes does not send POST data, when expected Additional users outside Active Directory needed alternative authorization scheme (IP range)
Case 2: Authentication against SAP Intra- and Extranet portal for company- specific training offers TYPO3: Content elements and Plugins for access to trainings stored in SAP Users authenticate against SAP (only interns) SOAP webservices were provided within SAP – Login / Logoff / Session validity / user information – Personalized content (e.g. favorite trainings)
Case 2: Special challenges SAP provides Session-Token Session-Token needs to be used as a Cookie in two ways – Server to Server access (SOAP) – Linked content (Browser) Domains- and Sub-Domains have to be chosen carefully to allow Cookie-transfer
Case 3: OpenSSO Remark: “OpenSSO” now has a fork “OpenAM” Health insurance company hosts a number of different systems that allow user access  integration project including internal / external TYPO3 sites Internal and external users Login / Logoff pages within TYPO3-FE required RESTful services (Login, Check valid session, Logoff)
Case 3: Special challenges Login and logoff forms need to influence – TYPO3 session – OpenSSO session Character encoding of session token was interpreted differently on OpenSSO and on TYPO3 side (JAVA vs. PHP)
Case 4: Shibboleth University hosting > 200 TYPO3 sites BE user management needed improvement Shibboleth is a federated identity solution – Allows to use > 1 identity provider – Well suited for educational sector, with high level of co-operations – Apache module and server component – Cookies and redirects; SAML messages
Case 4: Shibboleth (cont’d) Complex configurations to be matched: – Shibboleth identity provider – Shibboleth service provider component – Apache module  $_SERVER – extConf First application: BE Login of editors – Autoimport of users in disabled state Complex, versatile mapping of attributes
Case 4: Special Challenges Very versatile mapping of Shibboleth- attributes to TYPO3 user properties (fields, groups) with TypoScript-style config file Handling session across load-balancing cluster Very complex project structure (Identity management, hosting of identity provider, hosting of web servers, TYPO3 experts)
Case 5: TYPO3 as Authentication Master TYPO3 used for technical customer relation mgmt. (providing product information) User management within TYPO3 (e.g. se_feuser_register) Ticketing system (Atlassian JIRA) to authenticate against TYPO3 users Providing SOAP web services to external applications Management of applications (SOAP-credentials etc.)
Case 5: Special Challenges Providing lean web services, but having loaded all needed TYPO3 classes Security!
Outline Motivation and general aspects of SSO Real-world examples and lessons learned More things to take care of Summary
Infrastructure Cookies & Domains To use a common cookie, all systems must be found under the same second level domain Server typically has to meet special requirements In many cases special auth modules are needed Early clarification with customer / infrastructure experts necessary!
Authorization and User Specific Data “Authentication” is not “authorization” Which system “decides” about authorization? Which information is decisive? Auto-import of users into TYPO3? Which system holds other user specific data?
Scope of Login User experience and expectation – Scope of Logon? What systems know about me? Logout scenarios Timeout synchronization vs. server load
Complex Project Teams Need to harmonize these people: – Project owner (knows content) – Identity management (knows users) – Server hosting (knows server systems) – Network specialists (know network structure and firewalls)
Outline Motivation and general aspects of SSO Real-world examples and lessons learned More things to take care of Summary
Summary No two SSO projects are the same Implementing / integrating SSO requires to coordinate a large number of participants Typically, main stake holders are unaware of the complexity Slides: http://de.slideshare.net/tschikarski
Thank you for your attention!
Excurse: Authentication “channels” Browser Application HTML Login Form (Rendering, e.g. HTML) (e.g. TYPO3) Browser Webserver htaccess (Protocols, e.g. HTTP) (e.g. Apache) Network stack of OS IP-Address Network stack of OS Client Webserver
More Things to Take Care of (cont’d) Difficult debugging – No FE/BE output possible in many cases – Redirects – you might want to die() – No success without devlog extension! ;-) Build your tool box! – http traffic – Test, what you get from the others!
References mod_auth_sspi: http://sourceforge.net/projects/mod-auth-sspi/ LDAP extensions by Daniel Thomas: http://typo3.org/extensions/repository/view/ldap_auth/ http://typo3.org/extensions/repository/view/ldap_server/ Atlassian JIRA: http://www.atlassian.com/software/jira/overview OpenSSO: http://www.oracle.com/technetwork/testcontent/opensso-091890.html OpenAM: http://www.forgerock.com/openam.html Shibboleth: http://shibboleth.net/
Credits in2code GmbH elementare teilchen GmbH (formerly known as „A.BE.ZET GmbH“) Rene Fritz, Francois Suter for developing devlog ;-)

Recomendados

Building a vod portal with the flow @ Inspiring Flow 2013
Building a vod portal with the flow @ Inspiring Flow 2013Building a vod portal with the flow @ Inspiring Flow 2013
Building a vod portal with the flow @ Inspiring Flow 2013
dfeyer
 
CEE Logging Standard: Today and Tomorrow
CEE Logging Standard: Today and TomorrowCEE Logging Standard: Today and Tomorrow
CEE Logging Standard: Today and Tomorrow
Anton Chuvakin
 
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
Luis Benitez
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security Logging
Milton Smith
 
Web application development_dos_and_donts
Web application development_dos_and_dontsWeb application development_dos_and_donts
Web application development_dos_and_donts
huynhvanphuc
 
UCIAD - quick overview
UCIAD - quick overviewUCIAD - quick overview
UCIAD - quick overview
Mathieu d'Aquin
 
Assessment item 1 File Systems and Advanced Scripting .docx
Assessment item 1 File Systems and Advanced Scripting .docxAssessment item 1 File Systems and Advanced Scripting .docx
Assessment item 1 File Systems and Advanced Scripting .docx
davezstarr61655
 
Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?
Anton Chuvakin
 

Recomendados

Building a vod portal with the flow @ Inspiring Flow 2013
Building a vod portal with the flow @ Inspiring Flow 2013Building a vod portal with the flow @ Inspiring Flow 2013
Building a vod portal with the flow @ Inspiring Flow 2013
dfeyer
 
CEE Logging Standard: Today and Tomorrow
CEE Logging Standard: Today and TomorrowCEE Logging Standard: Today and Tomorrow
CEE Logging Standard: Today and Tomorrow
Anton Chuvakin
 
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
Luis Benitez
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security Logging
Milton Smith
 
Web application development_dos_and_donts
Web application development_dos_and_dontsWeb application development_dos_and_donts
Web application development_dos_and_donts
huynhvanphuc
 
UCIAD - quick overview
UCIAD - quick overviewUCIAD - quick overview
UCIAD - quick overview
Mathieu d'Aquin
 
Assessment item 1 File Systems and Advanced Scripting .docx
Assessment item 1 File Systems and Advanced Scripting .docxAssessment item 1 File Systems and Advanced Scripting .docx
Assessment item 1 File Systems and Advanced Scripting .docx
davezstarr61655
 
Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?
Anton Chuvakin
 
HCL Info Portal Report
HCL Info Portal ReportHCL Info Portal Report
HCL Info Portal Report
Sathish Gp
 
How Software Works in system environment
How Software Works in system environmentHow Software Works in system environment
How Software Works in system environment
ItcHcm1
 
LogChaos: Challenges and Opportunities of Security Log Standardization
LogChaos: Challenges and Opportunities of Security Log StandardizationLogChaos: Challenges and Opportunities of Security Log Standardization
LogChaos: Challenges and Opportunities of Security Log Standardization
Anton Chuvakin
 
Three SOA Case Studies
Three SOA Case StudiesThree SOA Case Studies
Three SOA Case Studies
Paul Fremantle
 
The Ball Launch on 2013 Microsoft TechDays Part 2/2
The Ball Launch on 2013 Microsoft TechDays Part 2/2The Ball Launch on 2013 Microsoft TechDays Part 2/2
The Ball Launch on 2013 Microsoft TechDays Part 2/2
Kallex
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Hitachi ID Systems, Inc.
 
ReflectInsight - Let your application speak volume
ReflectInsight - Let your application speak volumeReflectInsight - Let your application speak volume
ReflectInsight - Let your application speak volume
Callon Campbell
 
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...
AntonioMaio2
 
REST Api Tips and Tricks
REST Api Tips and TricksREST Api Tips and Tricks
REST Api Tips and Tricks
Maksym Bruner
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
MksYi
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Design Pattern Mastery - Momentum Dev Con 19 Apr 2018
Design Pattern Mastery - Momentum Dev Con 19 Apr 2018Design Pattern Mastery - Momentum Dev Con 19 Apr 2018
Design Pattern Mastery - Momentum Dev Con 19 Apr 2018
Steven Smith
 
Wcl303 russinovich
Wcl303 russinovichWcl303 russinovich
Wcl303 russinovich
conleyc
 
2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil
NASA Open Government Initiative
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008
Anton Chuvakin
 
Stating the obvious - 121 Test Automation Day, Dublin, 2018
Stating the obvious - 121 Test Automation Day, Dublin, 2018Stating the obvious - 121 Test Automation Day, Dublin, 2018
Stating the obvious - 121 Test Automation Day, Dublin, 2018
Giulio Vian
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
Avansa Mid- en Zuidwest
 
Enovia Collaboration Platform and Matrix Query Language
Enovia Collaboration Platform and Matrix Query LanguageEnovia Collaboration Platform and Matrix Query Language
Enovia Collaboration Platform and Matrix Query Language
Ashikur Rahman
 
TDC 2015 - POA - Trilha PHP - Shit Happens
TDC 2015 - POA - Trilha PHP - Shit HappensTDC 2015 - POA - Trilha PHP - Shit Happens
TDC 2015 - POA - Trilha PHP - Shit Happens
Jackson F. de A. Mafra
 
TYPO3 - great enterprise CMS - YEJJ
TYPO3 - great enterprise CMS - YEJJTYPO3 - great enterprise CMS - YEJJ
TYPO3 - great enterprise CMS - YEJJ
Thảo Nguyễn
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
MadyBayot
 

Más contenido relacionado

Similar a Single sign on with TYPO3

HCL Info Portal Report
HCL Info Portal ReportHCL Info Portal Report
HCL Info Portal Report
Sathish Gp
 
How Software Works in system environment
How Software Works in system environmentHow Software Works in system environment
How Software Works in system environment
ItcHcm1
 
Wcl303 russinovich
Wcl303 russinovichWcl303 russinovich
Wcl303 russinovich
conleyc
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
Avansa Mid- en Zuidwest
 
TYPO3 - great enterprise CMS - YEJJ
TYPO3 - great enterprise CMS - YEJJTYPO3 - great enterprise CMS - YEJJ
TYPO3 - great enterprise CMS - YEJJ
Thảo Nguyễn
 

Similar a Single sign on with TYPO3 (20)

HCL Info Portal Report
HCL Info Portal ReportHCL Info Portal Report
HCL Info Portal Report
 
How Software Works in system environment
How Software Works in system environmentHow Software Works in system environment
How Software Works in system environment
 
LogChaos: Challenges and Opportunities of Security Log Standardization
LogChaos: Challenges and Opportunities of Security Log StandardizationLogChaos: Challenges and Opportunities of Security Log Standardization
LogChaos: Challenges and Opportunities of Security Log Standardization
 
Three SOA Case Studies
Three SOA Case StudiesThree SOA Case Studies
Three SOA Case Studies
 
The Ball Launch on 2013 Microsoft TechDays Part 2/2
The Ball Launch on 2013 Microsoft TechDays Part 2/2The Ball Launch on 2013 Microsoft TechDays Part 2/2
The Ball Launch on 2013 Microsoft TechDays Part 2/2
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
 
ReflectInsight - Let your application speak volume
ReflectInsight - Let your application speak volumeReflectInsight - Let your application speak volume
ReflectInsight - Let your application speak volume
 
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...
 
REST Api Tips and Tricks
REST Api Tips and TricksREST Api Tips and Tricks
REST Api Tips and Tricks
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
Design Pattern Mastery - Momentum Dev Con 19 Apr 2018
Design Pattern Mastery - Momentum Dev Con 19 Apr 2018Design Pattern Mastery - Momentum Dev Con 19 Apr 2018
Design Pattern Mastery - Momentum Dev Con 19 Apr 2018
 
Wcl303 russinovich
Wcl303 russinovichWcl303 russinovich
Wcl303 russinovich
 
2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008
 
Stating the obvious - 121 Test Automation Day, Dublin, 2018
Stating the obvious - 121 Test Automation Day, Dublin, 2018Stating the obvious - 121 Test Automation Day, Dublin, 2018
Stating the obvious - 121 Test Automation Day, Dublin, 2018
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
 
Enovia Collaboration Platform and Matrix Query Language
Enovia Collaboration Platform and Matrix Query LanguageEnovia Collaboration Platform and Matrix Query Language
Enovia Collaboration Platform and Matrix Query Language
 
TDC 2015 - POA - Trilha PHP - Shit Happens
TDC 2015 - POA - Trilha PHP - Shit HappensTDC 2015 - POA - Trilha PHP - Shit Happens
TDC 2015 - POA - Trilha PHP - Shit Happens
 
TYPO3 - great enterprise CMS - YEJJ
TYPO3 - great enterprise CMS - YEJJTYPO3 - great enterprise CMS - YEJJ
TYPO3 - great enterprise CMS - YEJJ
 

Último

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Último (20)

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 

Single sign on with TYPO3

  • 1. Single Sign On with TYPO3 – Case Studies Thomas Schikarski Irene Höppner Lea Schikarski
  • 2. Irene Höppner Specialized in TYPO3 since 9 years Co-author of “TYPO3-Profihandbuch” and trainer of two TYPO3 DVD video trainings Senior developer with in2code GmbH in2code GmbH (http://www.in2code.de/) Formerly member of A.BE.ZET GmbH (which is now “elementare teilchen GmbH”)
  • 3. Thomas Schikarski Experience in IT infrastructure and IT service management, incl. applications of cryptographic technology Experience with the SSO part of several TYPO3 projects Part-time freelancer
  • 4. Lea Schikarski Crawling Running Swinging Drawing Expressing herself with signs Participation in: TYPO3camp Munich 2011, T3DD12, FLOW3 Experience 2012 (F3X), TYPO3camp Munich 2012, T3CON12DE
  • 5. Outline Motivation and general aspects of SSO Real-world examples and lessons learned More things to take care of Summary
  • 6.
  • 7. Why SSO? Users don‘t have to memorize / enter many passwords User management simplified (e.g. disabling access on all systems) Linked information (e.g. storing favorites of one system in another)
  • 8. Levels of „Single Sign-On“ Level 1: sharing credentials – Username / password valid on > 1 systems – Synchronized password changes Level 2: + “single sign-on” – Logging on (and off) only once for all systems – Log on/off screens may be present in 1..all systems Level 3: + “seamless” – Log on takes place on system level
  • 9. The Simple Case Log on / -off functionality is centralized on one system A valid session on one system is accepted by the other system The authenticating system may be separate or part of one of the application systems
  • 10. or
  • 11. SSO with TYPO3 CMS Protect your content as usual Use “auth services” to add authentication methods You always need a record in be_users/fe_users (but auth service can auto-import users)
  • 12. Outline Motivation and general aspects of SSO Real-world examples and lessons learned More things to take care of Summary
  • 13. Case 1: Seamless SSO in a Windows Domain Customer: Call center with ~200 employees TYPO3: Intranet solution (knowledge base to be used by call agents) User-specific data was stored (e.g. news alerts, list of unread news) Logon-System: Windows Active Directory
  • 14.
  • 15.
  • 16. Case 1: Special challenges Customer required to use a Windows machine  Apache on Windows Seamless integration using mod_auth_sspi Retrieving user information using LDAP extensions Lesson learned: Internet Explorer sometimes does not send POST data, when expected Additional users outside Active Directory needed alternative authorization scheme (IP range)
  • 17. Case 2: Authentication against SAP Intra- and Extranet portal for company- specific training offers TYPO3: Content elements and Plugins for access to trainings stored in SAP Users authenticate against SAP (only interns) SOAP webservices were provided within SAP – Login / Logoff / Session validity / user information – Personalized content (e.g. favorite trainings)
  • 18.
  • 19.
  • 20. Case 2: Special challenges SAP provides Session-Token Session-Token needs to be used as a Cookie in two ways – Server to Server access (SOAP) – Linked content (Browser) Domains- and Sub-Domains have to be chosen carefully to allow Cookie-transfer
  • 21. Case 3: OpenSSO Remark: “OpenSSO” now has a fork “OpenAM” Health insurance company hosts a number of different systems that allow user access  integration project including internal / external TYPO3 sites Internal and external users Login / Logoff pages within TYPO3-FE required RESTful services (Login, Check valid session, Logoff)
  • 22.
  • 23.
  • 24. Case 3: Special challenges Login and logoff forms need to influence – TYPO3 session – OpenSSO session Character encoding of session token was interpreted differently on OpenSSO and on TYPO3 side (JAVA vs. PHP)
  • 25. Case 4: Shibboleth University hosting > 200 TYPO3 sites BE user management needed improvement Shibboleth is a federated identity solution – Allows to use > 1 identity provider – Well suited for educational sector, with high level of co-operations – Apache module and server component – Cookies and redirects; SAML messages
  • 26. Case 4: Shibboleth (cont’d) Complex configurations to be matched: – Shibboleth identity provider – Shibboleth service provider component – Apache module  $_SERVER – extConf First application: BE Login of editors – Autoimport of users in disabled state Complex, versatile mapping of attributes
  • 27.
  • 28.
  • 29. Case 4: Special Challenges Very versatile mapping of Shibboleth- attributes to TYPO3 user properties (fields, groups) with TypoScript-style config file Handling session across load-balancing cluster Very complex project structure (Identity management, hosting of identity provider, hosting of web servers, TYPO3 experts)
  • 30. Case 5: TYPO3 as Authentication Master TYPO3 used for technical customer relation mgmt. (providing product information) User management within TYPO3 (e.g. se_feuser_register) Ticketing system (Atlassian JIRA) to authenticate against TYPO3 users Providing SOAP web services to external applications Management of applications (SOAP-credentials etc.)
  • 31.
  • 32.
  • 33. Case 5: Special Challenges Providing lean web services, but having loaded all needed TYPO3 classes Security!
  • 34. Outline Motivation and general aspects of SSO Real-world examples and lessons learned More things to take care of Summary
  • 35. Infrastructure Cookies & Domains To use a common cookie, all systems must be found under the same second level domain Server typically has to meet special requirements In many cases special auth modules are needed Early clarification with customer / infrastructure experts necessary!
  • 36. Authorization and User Specific Data “Authentication” is not “authorization” Which system “decides” about authorization? Which information is decisive? Auto-import of users into TYPO3? Which system holds other user specific data?
  • 37. Scope of Login User experience and expectation – Scope of Logon? What systems know about me? Logout scenarios Timeout synchronization vs. server load
  • 38. Complex Project Teams Need to harmonize these people: – Project owner (knows content) – Identity management (knows users) – Server hosting (knows server systems) – Network specialists (know network structure and firewalls)
  • 39. Outline Motivation and general aspects of SSO Real-world examples and lessons learned More things to take care of Summary
  • 40. Summary No two SSO projects are the same Implementing / integrating SSO requires to coordinate a large number of participants Typically, main stake holders are unaware of the complexity Slides: http://de.slideshare.net/tschikarski
  • 41. Thank you for your attention!
  • 42. Excurse: Authentication “channels” Browser Application HTML Login Form (Rendering, e.g. HTML) (e.g. TYPO3) Browser Webserver htaccess (Protocols, e.g. HTTP) (e.g. Apache) Network stack of OS IP-Address Network stack of OS Client Webserver
  • 43. More Things to Take Care of (cont’d) Difficult debugging – No FE/BE output possible in many cases – Redirects – you might want to die() – No success without devlog extension! ;-) Build your tool box! – http traffic – Test, what you get from the others!
  • 44. References mod_auth_sspi: http://sourceforge.net/projects/mod-auth-sspi/ LDAP extensions by Daniel Thomas: http://typo3.org/extensions/repository/view/ldap_auth/ http://typo3.org/extensions/repository/view/ldap_server/ Atlassian JIRA: http://www.atlassian.com/software/jira/overview OpenSSO: http://www.oracle.com/technetwork/testcontent/opensso-091890.html OpenAM: http://www.forgerock.com/openam.html Shibboleth: http://shibboleth.net/
  • 45. Credits in2code GmbH elementare teilchen GmbH (formerly known as „A.BE.ZET GmbH“) Rene Fritz, Francois Suter for developing devlog ;-)