PlugSSO


Author: Jarle Elshaug

Overview

PlugSSO gives access control through secure Single Sign-On allowing users to sign on once using one set of credentials, giving them one-click access to all your web applications from anywhere.

You may have heard of products like Ping, Okta, SiteMinder,…?
Well, it’s time for lightweight microservices: PlugSSO

Highlights:

  • Lightweight, modular and massively scalable
  • Incredibly fast, validates requests in less than 300 µs
  • Easy installation and configuration, one binary and a configuration file
  • No external dependencies like databases or directories
  • Misc. options for Authentication (AuthN), Authorization (AuthZ) and Two Factor (2FA)
  • Both internal and external (federated) authentication options
  • Built-in OAuth and OpenID provider (OP)
  • Just in time provisioning (JIT)
  • Using Nginx as reverse proxy
  • Runs on linux and windows machines in cloud and on-premise
  • Docker container ready

User login flow:

  • Authentication (mandatory)
    External, using OAuth or OpenID Connect e.g. Azure, ADFS, Google, Facebook,…
    Internal, using built-in directory option e.g. Active Directory, or more advanced through SCIM Gateway giving full flexibility in terms of endpoints, protocols and custom logic to be used e.g. cloud implementation using on-premise authentication
    Users can be “whitelisted” based on organization or spesific mail addresses
    Supports all Azure sign-in options: AzureAdMyOrg, AzureAdMultipleOrgs and AzureAdAndPersonalMicrosoftAccount
  • Authorization (optional)
    User lookup and validation (e.g. group memberships) through built-in directory option, or more advanced through SCIM Gateway where needed custom logic can be defined.
    Supports custom headers to be set for having Single Sign-On towards web applications using header validation (e.g. Symantec/Broadcom/CA Identity Suite using SiteMinder headers).
  • Two Factor (optional)
    One time password using your favourite authenticator app on iPhone or Android (e.g. Microsoft, Google, Authy,…) having a first time on-the-fly registration by scanning a QR code
  • Built-in OAuth and OpenID Connect Provider (optional)
    If your web application supports OAuth or OpenID Connect, it can be setup to use PlugSSO as provider. Users then get Single Sign-On by PlugSSO and becomes automatically accepted by destination application.

Configuration, one or more Domains configured with:

  • Authentication (mandatory)
  • Authorization (optional)
  • Two Factor (optional)
  • Realms (mandatory)
    Each realm defined allows traffic to that path (and below) e.g:
    /app1
    /app2
    /app3/rest

Look and feel

Login

Login/authentication will be according to your domain configuration for the realm you are accessing. If prelogin is enabled, a prelogin dialog will be used for selecting were to login. This dialog is built dynamically based on the domain configuration. Most common scenario is having your own company as the only selection. Figure below shows a more complex scenario for a domain having several external federation options including internal user/password login.

Internal login option supports all kind of use cases, endpoints and protocols e.g. having a cloud based PlugSSO installation with on-premise login to for example Active Directory (not using ADFS).

Figure below shows Azure tenant login screen for “My Company”.

Note, cookie life time defined by your external OAuth provider decides how frequent you will see this login dialog box. Most of the times you will be automatic authenticated and will not notice this first step authentication.

If domain authorization is enabled, there will also be some behind the scenes validation of the user before the final Two Factor step

Two Factor Authentication

Figure below shows the final Two Factor Authentication step where user have to enter a Time-based One Time Password generated by the authenticator app

On the first use, PlugSSO have to be registered in the authenticator app before getting the final authentication. Figure below shows how this registration looks like.

You might use your app and test scanning QR code in figure above to see how it shows up. Display name will be set to the product display name value we have defined in the PlugSSO configuration together with your login mail address.

Figure below shows how random codes generated by the authenticator app looks like

Self Service

Self service is available through Can't login? link in the Two Factor login screen. Like figure below shows, we can then click Reset button to get a mail sent to our mailbox having a link to reset the authenticator app.

OAuth and OpenID Connect Provider

OpenID Connect well-known configuration can be found at:

https://elshaug.xyz/plug/oauth/.well-known/openid-configuration

Test PlugSSO online

You may online test PlugSSO at https://elshaug.xyz having path /sso protected

Domain1 (prelogin Google, Azure and internal authentication) - realms:

Domain2 (direct Google authentication) - realms:

Internal login accepts all usernames having password = password
You may test using misc sub paths under /sso

If more than 4 incorrect login attempts, user will be banned for 1 hour.

OpenID Connect authentication require a consent on first time use. This means user have to accept exchanging profile attributes like mail address with PlugSSO. Installing and using mobile apps you are probably familiar with this concept.

Domain1 is configured with Azure authentication having AzureAdAndPersonalMicrosoftAccount. This means all users with a work, school, or personal Microsoft account can access this domain.

Note, you may not use your work or school account unless your Azure tenant administrator have granted global consent permissions or specific consent to PlugSSO (default turned off in Azure). You then have to use a personal Microsoft account (@outlook.com, @hotmail.com, @live.com). If you get a dialog box like shown in figure below, you have to click Have an admin account? Sign in with that account and then specify your personal account.


Last modified June 6, 2020