Let me start off by saying that I'm not totally sure what I'm looking for. I'm hoping I can explain the situation I'm in, and that someone can point me in the right direction.
So here's what I'm up against. I want to build a ruby on rails application that will be hosted by oranization A on some domain organizationA.com. Then, multiple other organizations (X,Y,Z) will be accessing this tool from other domains (orgx.com, orgy.com, etc.). I do not know at this moment what form of authentication X,Y and Z will use, most likely it will be LDAP or native Windows, but the important thing is that it could be different from organization to organization.
In a situation like this, what is the best way (is there a way?) to allow the users at X,Y and Z to use the application using SSO. Are there any existing tools out there that you would recommend or have worked with? Is there a name for what I'm describing so I can do some better googling?
Any help is much appreciated.
One Possibility
CASino - http://casino.rbcas.com/
Looks like this would be a separate server just for authentication, using the CAS authentication protocol, and could be used for multiple different types of authentication at different organizations. I'll have to check it out.
I'm using CASino for our SSO Solution and it's really cool.
casino and rack-cas provide a good CAS server and client support for ruby based single sign on applications.
You can try rubycas-server and rubycas-client if you are developing RoR applications
Im currently developing a enterprise system using the similar technology, My solution is using rubycas-server to manage user info and logins, and create separate user system base on ssoid of cas-server on each application sever to maintain the access level individually.
Related
I am starting a new enterprise web application. It will be hosted up on Windows Azure and will be an asp.net MVC application talking to an SQL database.
My question relates to multi-tenancy and the correct way to accomplish it. In the past I've created a multi-tenant application by having a tenant table and than putting a TenantID column in every table. This worked fine (but it was only on a smaller scale so it didn't really exercise it to the nth degree). Looking into the multi-tenant stuff on Azure, it doesn't seem to recommend this way. They talk about subdomain, splitting tenants etc. To me, that just seems like a management nightmare. I would like the user to hit a website, enter their tenant login details and boom they are off.
Is there a simpler way to implement multi-tenancy in Azure that still allows me to use Azure's scalability strengths?
Should I just use the simple TenantID method? Will the Azure framework still scale well to suit?
Should I worry about tenancy at the start or just leave it till the end?
Advice needed.
Thanks
I have done it both ways on Azure. I have done it the way you have done previously where they enter in a tenant code upon logging in and this works fine, I don't see any reason to do differently. You can use SQL Azure federations to manage the tenants so you can have multiple databases easily for scalability.
I have then also used the subdomains approach to identity the tenant, but all it did was map the subdomain to a tenant code. I used this in a system where they didn't have to log on so it was easier for the user.
Worry about it at the start if only to design the database to cope with it.
I am little lost at the moment. Hopefully you can point me in the right direction...
Scenario: WinForms App / Active Directory / ONLY internal network
What I want: Achieve the same that NetSqlAzMan does (authenticate and authorize single operations) using WIF. No Federation, nothing that's not needed for that. Just authenticate a given user via his current Account, get the claims and see if he's allowed to call specific operations.
What is really needed for that? Do I absolutely need ADFS 2.0? What (simple) STS to use? Where to start? All I found on that is going to start with an enormous setup using WCF Federation Bindings and what not. Do I better stick to NetSqlAzMan?
Any help would be greatly appreciated! :)
What you're looking for is active federation (versus passive federation) which uses web services for authentication. Take a look at the Lab 4 here for some samples on how to do this.
As for an STS, you don't have to use AD FS 2.0 (although for Active Directory authentication, it's probably the best option). You can always write your own custom STS using WIF, or you can look at the IdentityServer, but I don't think it has native integration with AD. You'd have to add that, but it wouldn't be too difficult using the ActiveDirectoryMembershipProvider.
I'm building some applications using rails.
All apps using restful auth plugin for User base and declarative authorization plugin for authorization rules.
But I need to merge all site's User accounts to one User base for providing login for all sites.
I.e like 37signals working on. Here is their work ;
http://37signals.com/accounts
How can I archieve this, any suggestions are welcome.
Thanks
A.Karr
From studying how 37signals was doing stuff - I think they're using RubyCAS http://github.com/gunark/rubycas-server
It's perfect for single sign-on, single sign-off and other related stuff - when you have multiple independent applications. Also, because CAS is a generic protocol, it exists for non-ruby/rails applications too. SO you can integrate legacy systems or client applications in Java etc.
I started building a set of how-tos on the subject here:
http://rubyglasses.blogspot.com/2009/12/rails-single-sign-on-with-rubycas.html
Have you thought about using open id?
If all your apps run on the same domain you shouldn't have any problems accessing the authentication cookie in all the apps, but you'll need to store the authentication state somewhere where all the applications can access it.
I hate to re-invent the wheel so I'm looking for an existing solution to create a simple authentication system for my application. I've experimented for a while with using CardSpace or OpenID inside the application but I can't convince management that these would be working solutions.
Of course, I could just build a simple login dialog where username, domain and (hashed) password is stored inside a database table and I've done such a thing many times already. I hate this solution since I feel it's just a weak option. And I don't want to spend too much time trying to make the whole logon system as secure as possible, especially since I suspect that there should be existing solutions for this.
So, next to OpenID/OpenAuth and CardSpace, are there any other Authentication solutions that can be used from a Delphi/WIN32 application?
Right now, the application will be used by many customers. Most are single-user environments, although it's likely that some of those will start to have two to 5 users once this authentication system is added. But we want to support a customer who needs to allow about 500 different users on the same application. These are spread over about 100 offices but they all connect to the same SQL Server database. (MS Access right now, but we're making it possible for this user to use SQL Server instead.) To make matters even more interesting, the customer uses Citrix to centralize the user systems and the application has straight access to the SQL Server database. It's not an ideal setup but then again, the customer isn't really paying for this. We're just setting up a test environment. A proof-of-concept which the customer will test for us. Flaws will be solved later on. But right now I need quick solutions and one of them is a practical authentication system where I don't have to write a lot of code.
Have you considered using SQL Server authentication and not allowing authentication for those using an Access Database?
If you use the new SQL Server Native Client and SQL Server 2005 you can have passwords expire and change them from your client application. All of the tools to create and manage user accounts are built into SQL Server Management Studio. And if you decide later to support Windows Authentication you just need to modify your connection string.
We have a system where users on the network use Windows Authentication so they don't need to worry about another user name and password. For users that access the system via a VPN and non-domain joined machines they use SQL Authentication.
Here is the MSDN Page that talks about dealing with passwords programmatically in SQL Server 2005
You do need to make sure that SQL Server Native Client is installed, but that is simple compared to the rest of ADO.
I would suggest then
Delphi - since you are using Delphi :)
Open source - since you need to be able to figure out what is wrong if there is a problem, you probably want it cheap.
So, here are some solutions:
http://www.torry.net/pages.php?id=313
CoWindowsAccount v.1.0
SSecurity v.1.2.1.3
http://free-password-manager-plus.software.informer.com/1.6/
It might work for your purposes, but why not ask Windows for the current domain and user name, and use them as unique IDs. Windows has already done the authentication, and it saves the users making up new passwords or anything. I've used this to good effect. I also made it optional to include the machine name in the ID, so that the same user on different computers would also be unique.
I am about to be writing a Ruby on Rails app which will use sub-domains to authenticate users. We will have two types of accounts:
user accounts
domain accounts
Users will thus be able to belong to multiple domain accounts using the same credentials. I hope to have the ability for a domain account administrator to be able to search for particular users and add them to their domain.
In addition to simply creating a domain account in the database, I want to setup an actual account on the machine (linux-based) so that users can drop files into a special directory and we can run some scripts to import that new data. Alternatively, I may write a client/server script to make this process easier.
All of this I believe I can do, however, as soon as the project attains a certain number of domain accounts, it will be necessary to figure out how to cluster the domain accounts appropriately so that we can have multiple machines.
From a database standpoint, this is fairly easy and there are lots of tutorials on how to cluster MySQL or whichever SQL server I decide to use. So my question really pertains more to machine accounts as well as how to cluster a Rails app.
If you want a comparison, think of this project like GitHub or Beanstalk but with data that isn't source control related.
Does anybody have any experience with this or know of any really good articles/books to get me started?
Thanks very much!
I suggest you look at using one of the PAM modules that lets you do account authentication against a SQL database. That way you just add the domain account to the SQL database and you get UNIX accounts (on all your servers) automagically, for free. So the clustering should just happen for free too...