

Single Sign-on at Rackspace - alexmeng
https://medium.com/@alexbmeng/single-sign-on-at-rackspace-47e30eda8532

======
Rapzid
How are you guys finding the tools for supporting SAML SSO? I only recently
had to stare into the abyss and found it to be a rather abysmal(harhar)
experience.

One of the most popular service providers, Shibboleth, was a PITA to get setup
the first time. Terribly complicated to get going from ZERO to signed in with
ADFS as the ident provider. Options available for distribution and clustering
are not up with the times. Only supported SHA1 hashing. Etc, etc. I know the
guys put a lot of effort in on it and are pretty helpful on list but... I
can't help but feel that 2014 deserves a better SSO experience :|

~~~
pmahoney
I found the tools weak at best, confusing and overcomplicated at worst. The
code from OneLogin [1] was the clearest example I found, but it leaves various
things as an exercise for the reader, such as obtaining the relevant public
key and establishing trust in that key.

I ended up doing a lot of custom stuff that is highly specific to the
particular SAML implementation in use at my company. For example, the public
signing key is included with the SAML response (on successful sign on) as an
x509 certificate. I extract if from there and establish trust by verifying the
signature chain (up to the root SSL certs included in my distro). But, SAML
also allows embedding raw RSA or DSA keys, or presumably none at all (and
you'd store the trusted key somewhere as a configuration value). So I don't
support "SAML" but "the specific SAML implementation currently in use at my
company".

But I've worked closely with an OAuth client before as well, and in the end
I'd say they are roughly equivalent in terms of ease of use, but there was a
larger learning curve for SAML (and XML-DSig is frustrating due to whitespace
sensitivity among other things. Implementation seems like a huge burden if
your language lacks it).

[1] [https://github.com/onelogin/java-saml](https://github.com/onelogin/java-
saml) But see other language impls. as well

------
dylz
Out of curiosity, what was the reasoning in using saml/idp/xml/etc? Java shop
+ enterpriseyness?

I don't know a single person that enjoyed dealing with SAML SSO (myself
included, using shib)

~~~
anton_gogolev
Care to share the most... er... painful painpoints? We're about to embark on a
journey of implementing a SSO solution and are evaluating Windows Identity
Foundation.

~~~
taspeotis
I've just finished implementing SSO with WS-Fed and WIF. The code samples are
the documentation.

------
samuel1604
Is that using OpenStack keystone on the back-end?

