6

We run a large distributed system consisting of a number (>10) of Django-based web services and web applications with a consumer base of about 10000 university students. Currently, we use a single single-sign-on system (Shibboleth) provided by our university to handle authentication. Authorization/roles are manually configured per-user at each web service. Our current architecture is shown below: enter image description here

We would like to extend our system to allow logins using Google, Facebook, LinkedIn and other universities. It seems like we need a middleware that is in charge of authentication and role management. Roles are frequently created and cannot be statically defined. The middleware should also perform session management (like handling timeouts, single log-out). We picture something like the following:

Architecture of proposed system

What components would we need in this middleware? Our sysadmin is considering Gluu or Keycloak along with an AD service. Would either of these solutions meet our requirements? Are there any best practices or vulnerability/configuration checklists for such systems?

Jedi
  • 3,906
  • 2
  • 24
  • 42
  • 1
    My first thought would be to extend the uni sso to use Google LinkedIn etc. Is that an option? – Stefan Rasmusson Jun 02 '16 at 18:07
  • Nope, the uni SSO is off-limits. – Jedi Jun 02 '16 at 20:16
  • Have you taken a look at Oauth? (https://en.wikipedia.org/wiki/OAuth) – Bubble Hacker Jun 05 '16 at 15:12
  • Yes, and both Gluu and Keycloak support OAuth 2.0. Currently, we're more interested in an implementation, not just the protocol. – Jedi Jun 05 '16 at 15:15
  • Maybe [django-social-auth](https://github.com/omab/django-social-auth)? This question isn't a great fit for this site; we're more for questions like "What are the risks with allowing OAuth 2.0 logins?" I guess Stack Overflow would reject this as "we don't recommend software", so maybe software recs? – paj28 Jun 06 '16 at 10:21
  • Thanks for pointing that out [@paj28](https://security.stackexchange.com/users/31625/paj28). This forum seems to have more IDAM experts. – Jedi Jun 06 '16 at 18:42
  • Hi! What middleware did you wind up choosing? – anon Jan 09 '17 at 17:48
  • We piloted Keycloak and found it satisfactory. @anon – Jedi Jan 11 '17 at 02:33

4 Answers4

1

What it seems like you are asking about is an Identity and Access Management (IDAM) solution which offers federated authentication from non-university sources.

I've only dealt with proprietary solutions (Oracle, CA etc..) but generally IDAM solutions are made up of the following elements: - Authentication - Access Control - User Management - User repository

I cannot answer your question whether Gluu or Keycloak plus AD covers your requirements and I know nothing about them. Defining and mapping your requirements against each solution should indicate whether they are suitable. I would also assume that any open source solution with a rich and mature community would have plenty of guidelines regarding hardening, configurations etc...

tranzophobia
  • 11
  • 1
1

As mentioned in other answers, basically you need a unified Identity management system.

Disclaimer: The company that I work for has a product which provides identity services.

I would not trust a person's StackOverflow answer to decide which system is best suited to my needs. These systems are fairly expensive and people usually request proposals from several vendors before deciding the system. As for checklists, each vendor will have different memory and configuration requirements. So the answer depends on the vendor that you choose.

Keep the following high level points in mind when you choose your middleware:

  1. The hardware requirements. Considering the number of requests you will be getting, you will need several dedicated servers to handle the traffic. This will incur an additional hardware cost. Some Identity managers come with OEMs and can help you get a better deal.
  2. The API documentation of the Identity services. Changing an identity service is a real pain. So you would want one that is easiest to integrate to. Choose one that has a good API documentation so that your web services and clients can integrate relatively easily.
  3. Have a limited login sources. Not all accounts will be compatible with all Identity management services. Also, often a small selection of accounts is good enough. Going for more can become an overkill. For e.g. Most of the university students have Google/Facebook and college credentials. Having more logins is good to have but not mandatory.
techraf
  • 9,141
  • 11
  • 44
  • 62
Limit
  • 3,191
  • 1
  • 16
  • 35
  • Thanks @Limit for all the advice. Just hoping that the community can present options, which we can vet and choose from. We're reading and playing around with a bunch of tools on the side – Jedi Jun 06 '16 at 12:05
  • @Jedi many colleges and my father's company use Google accounts for their work. Another relatively cheaper options are Novell Single Sign on and Dell solutions – Limit Jun 06 '16 at 12:19
  • @Jedi thanks for the bounty! Did you decide which product to use? – Limit Jun 13 '16 at 04:31
0

You are looking for an "API Gateway."

Many API gateway products and services are available. This StackOverflow answer lists some of the options: https://stackoverflow.com/a/11335822/650894

In addition, Amazon offers their own API gateway, which looks to have pretty flexible deployment options: https://aws.amazon.com/api-gateway/

I've also encountered the Axway API suite, which looks promising: https://www.axway.com/en/enterprise-solutions/api-management/api-management-solutions

Sorry I can't tell you which option might best fit your needs, as I am myself trying to get up to speed on this space. Best of luck!

Community
  • 1
Joe Lapp
  • 157
  • 5
  • Thanks [@Joe Lapp](https://security.stackexchange.com/users/112538/joe-lapp). I'm not sure if this is what we're looking for. Our web services are not all APIs, but also have interactive front-ends. Also, none of these solutions seem to provide the authentication capabilities that we need. – Jedi Jun 05 '16 at 22:26
  • What do you mean by "interactive front end"? A mobile or javascript client is an interactive front end that does its job by making AJAX requests to end points on the server, and those end points are "web services." If instead you mean that your server is in some cases generating HTML for the client, the client is still sending data to the server (e.g. HTTP post), and the server is providing data in response (HTML vs JSON in the body). In both cases, authorization can be managed by tokens in the HTTP header or cookies. You're only stuck if your server manages session state for the client. – Joe Lapp Jun 05 '16 at 22:58
  • Some of the web applications do maintain state. They are Django-based web-apps with logins (and sessions). The clients for these apps are users using web browsers (these store the cookies). – Jedi Jun 06 '16 at 00:41
0

We feel the best approach to this is to follow the open source momentum. Keycloak and Gluu will both have ways to solve this as will a number of other solutions available. You really need to find a solution that matches your current internal skill-set/resource base.

But if you choose a key vendor based on a stackoverflow discussion, then chances are you have much bigger problems to deal with :)

Chris Skura
  • 1
  • FWIW, we piloted Keycloak and managed to twist it to serve all our production requirement. Our internal skill set was zero, but that was eventually adequate. I might even agree about Stack Overflow, but this is InfosecSE... we're highly knowledgeable here!!! :-) – Jedi Sep 14 '17 at 03:24
  • Both Gluu and Keycloak are fairly opinionated, especially when it comes to representing authorization data; neither is great to work with (at least not yet). I'd recommend Keycloak if you're Java-heavy though, it has solid bindings and fit in will with it existing microservices. – Jedi Sep 14 '17 at 03:27