64

Before you put me down for asking too basic a question without doing any homework, I'd like to say that I have been doing a lot of reading on these topics, but I'm still confused.

My needs seem simple enough. At my company, we have a bunch of Ruby on Rails applications. I want to build an SSO authentication service which all those applications should use.

Trying to do some research on how to go about doing this, I read about CAS, SAML and OAuth2. (I know that the "Auth" in OAuth stands for authorization, and not authentication, but I read enough articles saying how OAuth can be used for authentication just fine - this is one of them.)

Could someone tell me in simple terms what these 3 are? Are they alternatives (competing)? Is it even right to be comparing them?

And there are so many gems which all seem to be saying very similar stuff:

I just want a separate Rails application which handles all the authentication for my other Rails apps.

Note: I do not want to allow users to use their Google / Facebook accounts to login. Our users already have accounts on our site. I want them to be able to login using that account once and be able to access all our apps without signing in again. Signing out in any app should sign them out of all apps.

UPDATE

I have come across these two OAuth solutions:

They seem to be describing something very similar to what I want. But I haven't found any guide / blog post / tutorial showing how to do this with SAML / CAS.

Suggestions welcome.

UPDATE 2

More details about our use-case.

We do not have any existing SAML architecture in place. Primarily, it is going to be OUR users (registered directly on our website) who are going to be accessing all our applications. In the future, we may have third-party (partner) companies calling our APIs. We may also have users from these third-party (partner) companies (registered on their websites) accessing our apps.

Improve this question

5 Answers 5

Reset to default
66
+50

CAS-Server:

A stand-alone central login page where the user enters their credentials (i.e. their username and password).

CAS supports the standardized SAML 1.1 protocol primarily to support attribute release to clients and single sign-out.

(a table in a SQL database, ActiveDirectory/LDAP, Google accounts, etc.) Full compatibility with the open, multi-platform CAS protocol (CAS clients are implemented for a wide range of platforms, including PHP, various Java frameworks, .NET, Zope, etc.) Multi-language localization -- RubyCAS-Server automatically detects the user's preferred language and presents the appropriate interface.

enter image description here

SAML : Security Assertion Markup Language is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML authorization is a two step process and you are expected to implement support for both.

enter image description here

OAuth 2.0:

The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.

enter image description here

Important Note :

SAML has one feature that OAuth2 lacks: the SAML token contains the user identity information (because of signing). With OAuth2, you don't get that out of the box, and instead, the Resource Server needs to make an additional round trip to validate the token with the Authorization Server.

On the other hand, with OAuth2 you can invalidate an access token on the Authorization Server, and disable it from further access to the Resource Server.

Both approaches have nice features and both will work for SSO. We have proved out both concepts in multiple languages and various kinds of applications. At the end of the day OAuth2 seems to be a better fit for our needs (since there isn't an existing SAML infrastructure in place to utilize).

OAuth2 provides a simpler and more standardized solution which covers all of our current needs and avoids the use of workarounds for interoperability with native applications.

When should I use which?

1.If your usecase involves SSO (when at least one actor or participant is an enterprise), then use SAML.

2.If your usecase involves providing access (temporarily or permanent) to resources (such as accounts, pictures, files etc), then use OAuth.

3.If you need to provide access to a partner or customer application to your portal, then use SAML.

4.If your usecase requires a centralized identity source, then use SAML (Identity provider).

5.If your usecase involves mobile devices, then OAuth2 with some form of Bearer Tokens is appropriate.

enter image description here

Reference 1,Reference 2,Reference 3

Improve this answer
5
  • Thank you for the detailed explanations, but I am still not clear about the differences between CAS and SAML. Are they similar in what they offer? Is it right to be comparing them? Additionally, I have mentioned my exact use-case in my question. Could you give me a direct answer as to which solution would be the most suitable?
    – Anjan
    Commented Jun 4, 2015 at 10:50
  • CAS supports the standardized SAML 1.1 protocol primarily to support attribute release to clients and single sign-out.SAML can be useful to you.SAML is going to be around much longer than CAS, so its a better bridge solution
    – Tharif
    Commented Jun 4, 2015 at 10:57
  • also If you are going to authenticate both of the applications using your single database, CAS is enough, SAML not required. SO : stackoverflow.com/questions/29843794/cas-server-with-saml-2
    – Tharif
    Commented Jun 4, 2015 at 11:03
  • What would be your recommendation be for my use-case?
    – Anjan
    Commented Jun 5, 2015 at 8:25
  • recommending based on use-case only would not be a good thing to consider..there are more constrains you should be aware of before selecting with your requirements..kindly go through the reference links they have description with each and every requirements..CAS can be used in your use case as well
    – Tharif
    Commented Jun 5, 2015 at 9:13
17

If you need to authenticate for LDAP or ActiveDirectory then a solution like one of the CAS gems you mentioned above is right for you (RubyCAS, CASino).

If you can afford it, one of the commercial vendors (like Okta) is your best option because they will stay on top of security patches and manage your authentication needs for you. In particular, if you have to support ActiveDirectory, they've already implemented it.

OAuth is most useful for third party authentication, though it can do SSO. So if you wanted to support Google / Facebook logins or be a third party authenticator then it's a great choice. Since you don't want to support Google / Facebook then OAuth is probably not what you want.

If you are only intending to use HTTP POST for your SSO needs then the ruby-saml gem could be the way to go. You would have to implement your own Identity provider and add a service provider component to all your websites (possibly in the form of a gem.) Part of what you would need is a rails api to act as your identity provider. This gem helps support writing API's in rails.

EDIT

You mention the possibility that future third party users might be logging on to your site. This changes your calculus away from rolling your own ruby-saml solution.

The best way to share your authentication API is to implement an OAuth layer. Doorkeeper is a popular solution and is fast becoming the standard for Rails authentication. It's community support, flexibility and ease of use make it the best way to go for a consumable authentication API.

Railscast for implementing doorkeeper

Improve this answer
7
  • I have added an update to the question. Please give me your thoughts.
    – Anjan
    Commented Jun 4, 2015 at 7:05
  • So, you are saying that the OAuth solution would work when the users are registered on a different company's website and they have to access our applications? How would this actually work? Could you detail it out? Does it involve me transparently creating an account on my OAuth server for those 3rd party users? I am leaning towards the Doorkeeper solution, but I just need to confirm that the above scenario can be worked out.
    – Anjan
    Commented Jun 5, 2015 at 8:16
  • "@Anjan, yes OAuth will allow user's from other companies to create accounts on your site and access your applications. On authentication your application will either creates a cookie or a bearer token These cookies can be "permanent" (until user logs out), or session based (until browser is closed). Doorkeeper has the tools for you to create these cookies and bearer tokens. You still have to add a lot of personal implementation of logic. This railscast goes over a lot of what you will need to implement doorkeeper railscasts.com/episodes/353-oauth-with-doorkeeper
    – Uri Mikhli
    Commented Jun 5, 2015 at 15:09
  • @Ravenstine is this close to what you were looking for?
    – Uri Mikhli
    Commented Jun 5, 2015 at 15:24
  • @Ravenstine , you accepted my answer but didn't award me the bounty. I understand if you meant to do that, but was that your intent?
    – Uri Mikhli
    Commented Jun 7, 2015 at 2:17
12

Anjan.

I've used CAS and OAuth in my work. Here are some of my opinions, and hope to help.

Basically

  • Both CAS and SAML aim to solve SSO situation. And CAS is a service or an authentication system, which can support SAML protocol.
  • OAuth aims to solve authorization and authentication.

And in practice,

  • Both CAS and SAML act as an gateway in front of a group of applications which belong to one organization. Just like your case.
  • OAuth is used to authorize and authenticate between different organizations.

Just my thoughts, and hope to hear more voices.

Improve this answer
2

We have used CAS and SAML in our architecture (Mobile App, Online Portal, and MicroServices) and both are used for different purpose. Our Online Portal is like online banking that runs in public domain and has to be secure. We don't want to store password and other secure token's in the DB of the online portal, therefore, we use CAS for authentication and authorization. During registration, when user chooses the password, we store the password in CAS and store corresponding token in the DB of Portal
When user login next time, User enters the user name and password in Portal. Portal fetches the token corresponding to user from DB and sends User_name, password, and token to CAS for validation.
But, in case user has already logged in into one application and we redirect user to our another application then we dont want to user to enter username and password again for second application. We use SAML to solve this. First application shares user details with SAML server and gets token in return. First application passes the token to second application. Second application sends token to SAML server to get user details and on success lands user to desired page. Our first application can be Mobile App and second can be Portal in the scenario of App2Web.

Improve this answer
0

Since you have got lot of answers for this question, I would like to suggest you an identity product that can be cater these kind of all protocol in one hand with lot of authentication and user management features. You can just try WSO2 Identity Server version for this.

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.