Whether you're developing public-facing web apps or deploying behind the corporate firewall, the days of identity silos are over. Social auth (log in with FooBookHub) and federated identity (SAML, OpenID Connect and friends) are the new normal. The advantages are clear: developers and operators have less security-sensitive code to write and deploy, while users experience less password/account fatigue, and enjoy improved productivity through single sign-on.
But there's no such thing as a free lunch; like most things in technology there are trade-offs. Federated authentication protocols are inherently more elaborate than plain old passwords; more moving parts means more complex deployment and more points of failure. Fortunately there are tools to ease the burden and smooth the process of securing your applications.
In this extended session for web developers and administrators/operations folks, attendees will learn and experience how to deploy and use federated auth, end-to-end from the identity provider to the app. The session will cover:
- The basics of federated authentication including protocol overviews and comparisons.
- How to use social auth providers for public-facing applications, allowing users to log in with an account they already have.
- How to leverage accounts in centralised identity management systems (FreeIPA, Active Directory, LDAP, etc) for single sign-on in an organisation.
- How identity brokers like Keycloak make it easy to use a variety of external authentication providers, and provide a consistent user experience across multiple applications.
- How to use external identities in your applications with the help of your web server, focusing in particlar on popular Python web frameworks and Apache (though the principles are more widely applicable).
- Security characteristics, and discussion of some challenging scenarios including testing, account merging and single sign-out.