Anyone good with SSO?

[BBA]

Just looking for suggestions on easy to setup server side SSO between multiple server applications.

Basically, our team decided that it would be nice to have an SSO system in place with the goal of only needing a user to authenticate to just one app, then an authentication ticket would be passed to any other app that user opens during their current session.

The apps I currently have that I will need to SSO integrate are: Attlassian Jira, Confluence, Fisheye/Crucible and SVN that currently allow users to authenticate with their AD user id and password. I also have several node.js rest API servers using postgres and redis backends for user authentication which are not AD integrated.

I have no authentication ticket passing system currently in place between any of the apps, so the only thing AD is giving me is a place for centralized control of user rights. IE: Whenever a user opens one of our applications/pages, they have to enter their own user ID and password to gain access to the specific app/page, although the specific per app user access level is controlled by the AD groups the user is a member of.


So, if there is anyone who read this and was not confused about what I am asking: What would you recommend? (Please, tell me something from your own experience, not just a google search as I've been there and done that already).

ty

 

[Daedalus0101101]

SSO can actually have two separate meanings ( at least where I work). For us, SSO is a user has one set of credentials and anywhere or anything they access they have to use these credentials for. Based on their assigned policy, they can only access certain things. I am employing Windows AD, LDAP, RADIUS, and TACACS+ and even at some points OTP tokens. To us, this is what we consider SSO. One set of credentials to access anything they need. The other definition is that a User logs into a sort of portal or system, and from there the user can open up and connect to assigned systems without having to enter user/pass info again. There are Pro's and Cons to both and it sounds like you are looking for the latter definition of SSO. Some of our stuff does run where the users "ticket" is passed along to the application automatically. The easiest integration method that I have found for that is LDAP. I have also found that some of our main programs from vendors ( Symantec, VMWare, EMC, Cisco) use an LDAP module to tie back in too. The Web Apps that we use don't tie back into AD for some reason. The programmers that be decided to create a SQL Database for user accounts and use that for authentication. Im not sure if its easier or if that is just what they are used to.

Hope this helps.

 

[xxan0xx]

I would look at Atlassian's crowd solution. Really straight forward for the Atlassian Stack to get integrated with Multi-LDAP sources, and for other apps you'll be able to leverage SAML integration.

SVN is probably going to to be the only "difficult" thing to do, but Atlassian has it pretty well doc'd out.

https://confluence.atlassian.com/display/CROWD/Integrating+Crowd+with+Subversion

Some linkage for the node.js changes that likely will need to be made to the authentication functions for your app
https://github.com/bergie/passport-saml

This would basically tie everything back to your Crowd server, and you can add N number of LDAP services to the backend of that so you in theory will only have one neck to strangle for authentication. This is basic strategy we've taken at where I'm working except we opt'd for Connect2ID as the decision was made a bit in a vacuum from the Dev side of the house.