Extending drupal authentication

23
EXTENDING DRUPAL AUTHENTICATION Charles Russell CTSC UC Davis Medical Center Bennubird Media SacProNet

description

Slides from Sacramento Drupal camp presentation

Transcript of Extending drupal authentication

Page 1: Extending drupal authentication

EXTENDING DRUPAL AUTHENTICATION

Charles RussellCTSC

UC Davis Medical CenterBennubird Media

SacProNet

Page 2: Extending drupal authentication

What is wrong with this picturehttp://web-cms.findthebest.com/compare/2-42/Drupal-vs-Liferay-Portal

Page 3: Extending drupal authentication

Drupal Authentication

• Multi Layered Security System• Account/Role based• SQL table based and internal into the system• OpenID (optional)

Great for a stand alone site, but what if• You have to integrate with legacy systems• You have to tie this site to other service

providers not using Drupal.• You have to coordinate with other

organizations

Page 4: Extending drupal authentication

Enterprise Level Authentication

• Directory Based• May be some type of SQL based system• LDAP (Lightweight Directory Access

Protocol) • Central Single Sign On

• Kerberose• CAS (Central Access System)

• Federated System• OpenID• SAML (Security Assertion Markup Language)• XACML ( eXtensible Access Control Markup

Language)• Shibboleth• Oauth

Page 5: Extending drupal authentication

Two sides to the authentication

• Identity Providers (IP)• Verify and provide credentials

• Service Providers (SP)• Provide the requested services if user authenticates

In a Drupal only site Drupal is both IP and SP

Page 6: Extending drupal authentication

Things we must understand about Drupal

• Drupal requires accounts• Drupal needs three pieces of information to establish an

account. • User name• Password• Email

• Direct Login is possible and plans should be made to handle the case that the IP no longer certifies the user.

Page 7: Extending drupal authentication

Directory Based Solutions

There are many SQL implementations are custom so look up is going resist generic a generic solution

LDAP is a standard and fortunately is the most common implementation of directory.

A good argument could be made that Drupal’s native authentication is of this type

Page 8: Extending drupal authentication

LDAP(Lightweight Directory Access Protocol)

Directory System Agent is contacted by a client which sends a response back to the client.

• Requests and Responses are sent in plain text

• Every entry has a unique Identifier DN and a set of attributes.

Page 9: Extending drupal authentication

Drupal Implementation of LDAPhttp://drupal.org/project/ldap

Drupal 6 use LDAP Integration Module not LDAP Module

Page 10: Extending drupal authentication

Central Single Sign On

Allows users throughout an organization use a single password to access all of the resources of that organization.

• Passwords are not shared with the application• Communication between client and server are

encrypted and prevents eves dropping and replay attacks

• Kerberos and CAS Protocols are the most common implementation.

Page 11: Extending drupal authentication

Kerberos

Developed at MIT as part of Project Athena which was a project a campus wide computing environment

Page 12: Extending drupal authentication

Drupal Implementation of Kerberos

http://drupal.org/project/kerberos_authentication

Page 13: Extending drupal authentication

CAS

Developed at Yale University. Currently maintained by Java Architectures Special Interest Group.

Page 14: Extending drupal authentication

Drupal Implementation of CAShttp://drupal.org/project/cas

Page 15: Extending drupal authentication

Federated SolutionsAllows access to users of the system outside of their local environment, sending identity information to the application or site that has already been verified by the IP

Allows you to send users to external resources and allows external resources to in a secure way to use your site..

There is a long list of federated protocols some of the more popular open source solutions are OpenID, OAuth, SAML, and Shibboleth.

Page 16: Extending drupal authentication

Open ID

• Developed in 2005 Originally Called YADIS• Comes with Drupal Out of the box• Because Drupal requires user and password

Open id must be assigned to Drupal user • Email still required so legitimacy can be

established• Documentation at

http://Drupal.org/documentation/modules/openid

Page 17: Extending drupal authentication

OAUTH

• Grew out of Open ID• Commercial use very common• Allows sharing of private information with giving

out credentials

Page 18: Extending drupal authentication

Drupal Implementation of OAUTH

http://drupal.org/project/oauth

Page 19: Extending drupal authentication

• Shibboleth is an open-source project that provides Single Sign-On capabilities and allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.

• Very common in education and government• Shibboleth home page http://shibboleth.net

Page 20: Extending drupal authentication

Drupal Implementation of Shibboleth

http://drupal.org/project/shib_auth

Page 21: Extending drupal authentication

OASIS

Organization for the Advancement of Structured Information Standards

Page 22: Extending drupal authentication

SAMLSecurity Assertion Markup Language

• XML Based mark up language to assert Identity• Usually assertion sent as web service in soap wrapper

<saml:Assertion Version="2.0" IssueInstant="2009-02-04T23:08:00.173Z" ID="el-hJZpkAd5XlBywvK_LxieTaC."> <saml:Issuer>IDFED_E2E_IDP_SP_APP</saml:Issuer> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#el-hJZpkAd5XlBywvK_LxieTaC."> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>A7IVn/YqCJW6ZQT9/PqFBdZzhuY=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> ……….</saml:Assertion >

Page 23: Extending drupal authentication

Drupal Implementation of SAML