SSO solutions for Django - django

I have several Django websites and I want to create a centralized auth provider. The auth provider site would contain the user accounts and be the only repository for user details and passwords. Users would log into the auth provider site and when they visit each satellite website for the first time, an account is created on that site. Subsequent visits to the satellite site would result in them being sent to the auth provider site to login first. On returning they are automatically logged in to the satellite site. My only difficulty is that the auth provider site would be on the internet and the satellite sites are in DMZs on private networks with access to the internet. So the satellite sites cannot establish any outgoing connections to the auth provider.
I still need the ability to log into the satellite sites using the locally configured admin user.
I looked at OAuth2 but I don't think that fits my needs. I'm currently reading about OpenID but I noticed a comment that the satellite server contacts the OpenID server, which cannot happen in my configuration. When I say OpenID I mean that I would have to run my own server as I need 100% control over the users. Are there any other solutions I've not mentioned yet that meet my requirements?
Thanks

What you're looking for is essentially SAML.
Unfortunately, I'm not aware of any good off-the-shelf open source solutions for this.
If you're looking for a service solution, the company I work at (Stormpath) provides a library that does this. It's free to use. https://github.com/stormpath/stormpath-django

Related

How do you implement client SSO on sitecore cross domain?

Everything I searched for returns info about internal user SSO, not client facing websites.
I need an SSO implimentation that works with sitecore's asp.net membership api or has it's own sitecore security provider to enable users who log in to publicfacingwebsite1.com to be able to be logged in to publicfacingwebsite2.com and logging out of one will log out of the other. I would prefer sitecore's asp.net membership provider as that will probably have the least upgrade implications in the future.
The domains are different top level domains. The websites are separate sites on the same sitecore instance.
I also need the side ability to impersonate a user (log in as the user) from an admin user, but once I have the main implementation, I'm sure I can find a method for the impersonation.
Regards
I would use a third party framework for the SSO part. For instance IdentityServer3
Here is a good introduction on how to use it together with Sitecore
In regards to the membership provider and the profile data, if you are thinking upgradeability, I am not sure it will be so, if you use the native membership provider. Sitecore will most likely switch to ASP.Net Identity in the near future. The ASP.NET Identity is supported in IdentityServer3, so you might obtain a shared user profile by using IdentityServer for the profile as well. But this is all guessing the future.
If you want to use the membership provider and the standard Sitecore profile provider, I am sure you can customize the implicit flow to map the Identity to a Sitecore user.

OpenID Connect for service-oriented architecture web portal

I'm building a website using service-oriented architecture (SOA) principles. When users visit the site in their browsers, the interface they see will be composed of resources delivered by several different services on the backend.
My question is how to use OpenID Connect (OIC) to implement SSO so that users log on through the site once and their browsers can automatically retrieve all the protected resources that are necessary.
The main conceptual difficulty I'm having is that everything written for implementing OpenID Connect seems to be oriented toward people creating monolithic third-party clients that authenticate with Google, Yahoo, etc. In my case, however, the client is my web portal and the resource providers are my backend services. Certain OIC concepts don't make sense to me in this context: for instance, the auth grant. Are users supposed to authorize the web portal to access their information the first time that they log on? That would be pretty absurd.
Or Is OIC the wrong tool for what I'm trying to do?

Google Cross Domain Authentication

I have various sites (on their own domain) with their own authentication systems. What I'm trying to do is combine all the authentication into Google's authentication so the users will only have to log in with their Google credentials. What I'm thinking of is that they would log in with their Google credentials and be redirected to a dashboard which has image links to the other sites. The user should be able to go to any of the sites and be automatically logged in since they were already authenticated. I saw that there's an authentication for Google Apps but is this the same thing for my websites?
What I'm not sure about is how does this happen cross domain? How do the other domains know that the user is already authenticated?
Also, if the user logs out, they should not be able to access any of the sites anymore.
Anyone have any experience implementing something like this? Any resources are much appreciated. I will be implementing this in Coldfusion so Coldfusion resources are a bonus.
Your talking about using Google to login/signup i.e. Using OAuth 2.0.
You will need to register each of your app domains with Google. The user will need to confirm each application to allow access (in your case for signup/login).
Resource on Google Login with ColdFusion by Raymond Camden
The point is you need to establish a certain protocol to build a trust.
Other options are:
Google oauth javascript cross domain

Authentication with website, mobile app, and webservice

I am creating a service that will include a website, a mobile app, and a web service.
Both the website and mobile app will talk to the web service to interact with the database and any other backend items.
I would like users to be able to log in with other services (such as google, facebook, twitter, etc.)
I have two questions in implementing this:
1.) Should I use OpenID or OAuth? I'm not sure which is better for the situation. I have no need to actually access features from a users account, I just want them to be able to log in with accounts they already have,
2.) Where should I implement the authentication? Do I have to implement it both on the website and on the mobile app, or could I have both talk to the web service and do the authentication there?
Thanks
If you are just doing authentication and not syncing any account details, I think OpenID is the way to go. From a security standpoint, I would say to implement your authentication on the website and on the app and not in the webservice. You want to handle credentials the least amount possible and especially avoid sending the credentials via webservice if not using SSL.

Using SSO to log into my existing application from Google Apps

My company will be soon switching to Google Apps, and I would like to propose the idea of having our site administration page being authenticated with OpenID. Therefore, any user who is logged into Google Apps would be automatically logged in to our site Administration. Currently, our site administration has it's own list of users and passwords in the DB, but I would like to have the user list based off Google Apps, with their unique identifier saved in our DB. That way, new employees would only have to be set up in Google Apps to access our site Administration.
I've done some research, and come across terms like SSO, OpenID, and SAML, but I can't quite narrow down which route I'm supposed to go. It seems like Google has a lot of paths open for development, and I'm not sure which one I'm supposed to take.
My question is: What kind of Authentication am I seeking for my purpose described above, and can anyone point me in the direction of where to get started? My site is published in ColdFusion 9, so answers specific to that platform are a bonus.
If you just need Web SSO -- I believe you would use your GApps domain as an OpenID Provider. Your application would then act as an RP and consume identities as established by your own GApps domain and company administration. GApps can only act as a SAML Service Provider -- so using SAML for this use case isn't realistic.
HTH
Ian