Monday, April 16, 2012

Build Single Sign On Implementation (using computer login) for Intranet or Campus network.

In recent years, web application is rapidly developing. The development of web application is preferred because of its flexibility and accessibility. With this type of application, a company or an organization with a huge number of employee can easily maintain and improve the functionality because they can immediately implement the change into the current system without needed any adjustment in the client environment.

There are so many useful web application developed by open source community, but because the web applications are developed by different group, they use different kind of authentication system. For users, typing username and password every time they use different kind of web application are some kind of pain even though they have the same username and password. There is also a security risk, this gives a greater probability to get the typed username and password for trojan or attacker.

And now, how can we make the authentication process more simple? That is why we need Single Sign On, we need only to login once, and can access different type of web application without login any more. OK, I already logged on into my computer, why should I authenticate again to access my web application? Yes, it is also possible to make Single Sign On using computer login. This article discusses about all you need to know how to integrate Single Sign On using computer login into your environment.

To achieve the goal, there are three main applications used in this system which are Shibboleth IdP (Identity Provider), Shibboleth SP (Service Provider) and Kerberos. Shibboleth IdP handle all authentication process for web application and accept kerberos ticket for authentication, Shibboleth SP is installed in web application as back-end engine to communicate with Shibboleth IdP. Kerberos is used to allow Single Sign On authentication form computer login and add more security in the authetication process.

First, I will discuss how to implement kerberos in the windows client environment. There are so many possibilities to implement kerberos authentication in the client. If you have Novell environment, you can install Novell KDC server to serve the kerberos ticket and authentication and set the novell client to be able to receive the ticket using NMAS. I would like to discuss this after I have succeeded the implementation of this system. If you have windows domain environment, you can use Windows Active Directory. They provide kerberos authentication in their domain system. Windows client such as WinXP SP2, Vista and Win7 can receive kerberos ticket without further modification, you only need to setup the server. I will describe how to setup a Windows Active Directory using Samba 4.

Second, the configuration of Shibboleth IdP and Shibboleth SP are described. In the examples, I will describe how to integrate typo3, wordpress and moodle to use Shibboleth SP.

After these steps, you will have Single Sign On implemented in your environment.

Next >>

No comments: