PlugSSO


Author: Jarle Elshaug

Overview

PlugSSO gives access control through secure Single Sign-On allowing users to sign on once using one set of credentials, giving them one-click access to all your web applications from anywhere.

You may have heard of products like Ping, Okta, SiteMinder,…?
Well, it’s time for lightweight microservices: PlugSSO

Highlights:

  • Lightweight, modular and massively scalable
  • Incredibly fast, validates requests in less than 300 µs
  • Easy installation and configuration, one binary and a configuration file
  • Always On Failover clustering, loadbalancing and synchronization between all nodes
  • Runs anywhere having a reverse proxy as the only external dependency
  • Misc. options for Authentication (AuthN), Authorization (AuthZ), Two Factor (2FA) and Geolocation
  • Both external (federated) and internal authentication options
  • Intergrates with SCIM Gateway for building customized AutnN/AuthZ logic including Just-in-Time Provisioning (JIT)
  • Misc. attack preventions e.g. brute-force and man-in-the-middle
  • Built-in OAuth and OpenID provider (OP)
  • Works with any reverse proxy server (nginx, traefik, ambassador, istio, envoy, etc) that supports forward/external authentication
  • Docker and Kubernetes-friendly
  • Written in Go, a high-performance networking and multiprocessing language with higher memory safety guarantees than other servers

User login flow:

  • Authentication (mandatory)
    External, using OAuth or OpenID Connect e.g. Azure, ADFS, Google, Facebook,…
    Internal, using built-in directory option e.g. Active Directory, or more advanced through SCIM Gateway giving full flexibility in terms of endpoints, protocols and custom logic to be used e.g. cloud implementation using on-premise authentication
    Users can be “allowlisted” based on organization, login name and geolocation
    Supports all Azure sign-in options: AzureAdMyOrg, AzureAdMultipleOrgs and AzureAdAndPersonalMicrosoftAccount
  • Authorization (optional)
    User lookup and validation (e.g. group memberships) through built-in directory option, or more advanced through SCIM Gateway where needed custom logic can be defined.
    Supports custom headers to be set for having Single Sign-On towards web applications using header validation (e.g. Symantec/Broadcom/CA Identity Suite using SiteMinder headers).
  • Two Factor (optional)
    One time password using your favourite authenticator app on iPhone or Android (e.g. Microsoft, Google, Authy,…) having a first time on-the-fly registration by scanning a QR code
  • Built-in OAuth and OpenID Connect Provider (optional)
    If your web application supports OAuth or OpenID Connect, it can be setup to use PlugSSO as provider. Users then get Single Sign-On by PlugSSO and becomes automatically accepted by destination application.

Configuration, one or more Domains configured with:

  • Authentication (mandatory)
  • Authorization (optional)
  • Two Factor (optional)
  • Realms (mandatory)
    Each realm defined allows traffic to that path (and below) e.g:
    /app1
    /app2
    /app3/rest

Look and feel

Login

Login/authentication will be according to your domain configuration for the realm you are accessing. If prelogin is enabled, a prelogin dialog will be used for selecting were to login. This dialog is built dynamically based on the domain configuration. Most common scenario is having your own company as the only selection. Figure below shows a more complex scenario for a domain having several external federation options including internal user/password login.

Internal login option supports all kind of use cases, endpoints and protocols e.g. having a cloud based PlugSSO installation with on-premise login to for example Active Directory (not using ADFS).

Figure below shows Azure tenant login screen for “My Company”.

Note, cookie life time defined by your external OAuth provider decides how frequent you will see this login dialog box. Most of the times you will be automatic authenticated and will not notice this first step authentication.

If domain authorization is enabled, there will also be some behind the scenes validation of the user before the final Two Factor step

Two Factor Authentication

Figure below shows the final Two Factor Authentication step where user have to enter a Time-based One Time Password generated by the authenticator app

On the first use, PlugSSO have to be registered in the authenticator app before getting the final authentication. Figure below shows how this registration looks like.

You might use your app and test scanning QR code in figure above to see how it shows up. Display name will be set to the product display name value we have defined in the PlugSSO configuration together with your login mail address.

Figure below shows how random codes generated by the authenticator app looks like

Self Service

Self service is available through Can't login? link in the Two Factor login screen. Like figure below shows, we can then click Reset button to get a mail sent to our mailbox having a link to reset the authenticator app.

OAuth and OpenID Connect Provider

OpenID Connect well-known configuration can be found at:

https://elshaug.xyz/plug/oauth/.well-known/openid-configuration

Test PlugSSO online

You may online test PlugSSO at https://elshaug.xyz having path /sso protected

Domain1 (prelogin Google, Azure and internal authentication) - realms:

Domain2 (direct Google authentication) - realms:

For testing purpose internal login accepts all usernames having password = password
You may test using misc sub paths under /sso

If more than 4 incorrect login attempts, user will be banned for 1 hour.

OpenID Connect authentication require a consent on first time use. This means user have to accept exchanging profile attributes like mail address with PlugSSO. Installing and using mobile apps you are probably familiar with this concept.

Domain1 is configured with Azure authentication having AzureAdAndPersonalMicrosoftAccount. This means all users with a work, school, or personal Microsoft account can access this domain.

Note, you may not use your work or school account unless your Azure tenant administrator have granted global consent permissions (default turned off) or specific consent to PlugSSO. You then have to use a personal Microsoft account (@outlook.com, @hotmail.com, @live.com). If you get a dialog box like shown in figure below, you have to click Have an admin account? Sign in with that account and then specify your personal account.


Last modified June 6, 2020