Building simplicidade.org: notes, projects, and occasional rants

Federated Identity and Single sign-on

For quite some time we have been setting up a federated identity system for single sign on web apps at work.

The way it works is that whenever you access a web app and you are not authenticated, you get redirected to a login server. There you can choose which intranet you belong to. You click on you intranet name, you authenticate there, and then you are redirected back to the original web app you where trying to access. From then on, you can access to all the other web apps that use the same system without further authentication steps. Authorization is also managed by the system based on profile information provided by each intranet about the user.

This works very well and allows for distributed management of permissions of each user, but with centralized enforcement.

Some weeks ago I found out about Shibboleth. It does exactly the same thing, so I’m looking into using their code and replace all our half-baked solution. If you are interested in this kind of stuff, check out OpenSAML and Ping Identity for commercial solutions with open source code. Also, a great article about identity from Doc Searls is up at Linux Journal.

Anyway, when I was reading through the shibboleth docs, I started to think that since I use my powerbook, I’ve been doing single sign on almost in every app I use and website I visit without all this fuss about setting up a federated identity system.

The system Keychain of Mac OS X is a great solution. It stores all my login/passwords for apps, sites, ssh keychains, and x.509 certificates I use for mail. It really works well, and I feel a lot more secure knowing that all my “stuff” is in my personal computer, where I’m the only one responsible for backups (which I do almost every week… :) ).

Kudos, Apple.