Planning/integrating an application authentication

HI there,

I have created a prototype of my application and it is working! Incredible…

Currently my prototype is completely non authenticated and I would now like to start adding authentication. But having read around the forums a little on authentication for applications, I suddently realised how little I knew about the topic beyond email/password type authentication schemes.

I was looking for some module that would “do it all for me”

After reading said forum posts, it was made clear by several power users that no such module exists because there are lots of different ways of authenticating and its really a per application decision as to how you will authenticate your resources. All of this makes sense to me.

This is what I know about my application so far:

• It is most likely to be accessed from within the LMS (Moodle, Blackboard etc) of Universities who have an identity provider that can authenticate users on my behalf (e.g Shibboleth or something similar). If an institution adopts my application, I plan on working with them 1 on 1 to integrate their authentication scheme. But I thought it would be beneficial to provide support for common identity providers out of the box so that it is an attractive option for Universities to use my platform. Having worked inside universities, I know how much resistance there can be to adopting new platforms that don’t follow their rules.

While I would also like to support single users at a later date who want to get access to my free and paid content, this is not the major focus of my initial release and will be likely to be something that is added later.

I have currently defined the following two roles in my system:

• Educator (someone who can create and edit content)
• Student (someone who can view content)

While there is a relationship between students and what content they can access, I don’t feel this needs to be strictly enforced at a database level and would effectively be controlled by the LMS of an organisation when the educators publish courses. It is up to the educators who they want to share content created on my platform with.

As long as they are an authenticated user, then that is fine with me. I might consider locking it down to making sure that the student is from the same organisation as the educator who created the content. The super cautious among us might think that this would still mean that content on my application created for a Nursing student could still be accessed by a Engineering student (if they were manually provided the link) - but I see no great security risk in this, let alone there being much chance of a University student having any interest in content from a different department. I hope that attitude is not considered lax on my part.

Anyway, this is turning into quite a long winded post and part of me feels like I might be thinking about this a little too soon, but part of me realises also thinks that how easily my system can be integrated into existing IT systems of educational institutions will be an important selling feature of my application…assuming I ever get a sale

While this has pretty much turned into a “Dear Diary” post… I guess the vague questions I have are:

• Is there a particular process that is recommended for planning out authentication schemes into your application?
• When is a good time to start integrating authentication into your application
• Am I going insane?!

If you need to work with Identity providers in Edu institutions, SAML might be a good option to consider. Take a look at the Elixir library Samly.

It is very easy to work with. Before you make any changes to incorporate this library try out a test Phoenix application that shows how to do this.

git clone https://github.com/handnot2/samly_howto

Get the IdP SAML metadata XML file from your Identity Provider and make it available to samly_howto app. Launch this Phoenix application. There will be a link to get the SP metadata XML. Use the information shown there to register your app with your IdP. Once these configs are done you should be able to signin using this samly_howto app UI using your Edu IdP.

The samly code integration is very simple once you get the SAML config sorted out.

That’s great, thanks.

Ueberauth then for authentication, you can pretty easily bind in new styles as well if one of its many many pre-built ones would not work for you, in addition to simple username/password.

I’ll second Ueberauth, it is well designed and flexible. Since you’re planning to have many different types of logins I think that makes it a good fit and they have a long list of already existing strategies: https://github.com/ueberauth/ueberauth/wiki/List-of-Strategies

Awesome - thanks all.

I know some of the universities use Shibboleth, which is SAML right ? Are you suggesting to use Uberauth so I get all its bonuses and add in SAML auth on top of that module? Is that doable or would you just have samly running side by side.

I am still connecting all the dots on this and figuring out what sits where…

I spent the weekend learning about Plugs and was blown away by what you can achieve with their flexibility (and simplicity)… I’m loving it!

Shibboleth is very common in the EDU market segment. It does support SAML. That is the reason why I suggested Samly as an option to consider. Samly has support for single logout as well.

Yep, just got the demo up and running, works great.

I’ll have a go at running a Docker Shibboleth image and connecting to that so I can get my head around what an institution would need to do to allow me as a service provider.

I’ll also take a look at Ueberauth…. but I don’t see that handling any of the expected auth situations I would encounter (at least early on in this project). I imagine there would be no issue to run samly and ueberauth side by side later on if I needed to utilise some of ueberauth’s strategies…

The docker image for an IdP (based on SimpleSAMLPhp) is available at:

You can use this for development purpose to check login/logout flows. You should then be able to change the config to point to a Shibboleth setup.

SimpleSAMLPhp was used as IdP during Samly development. I am aware of success in getting Samly to work with commercially available SAML IdPs as well.

Yep, great, I got that demo up and running and it worked well. I will have a go at adding this to my application.

BTW - with this type of auth, what would be the simplest way (from a clients point of view) for me to determine who is an Educator and who is a student. From what I can tell, I should be able to do this based on attributes from the IDP, but from what I also understand, it is not a guarantee that all IDP’s will give up the same attributes and even if they do, they may not have the same internal representation.

One other solution I can think of is that I get the University to manually identify who they want as educators and they need to contact me if this list needs to change.

With ueberauth, if a saml plugin does not already exist (it might, check?) you’d just implement that above Samly library ‘as’ a strategy in Ueberauth, then you could use it like any other (and you should distribute it as a library for ueberauth too! ^.^).

The college that I work at uses LDAP for educator logins, Google Education Services for student logins, and some specially made custom logins for non-related logins. All through Ueberauth.

@natewallis - the educator/student role information would be made available as part of the assertion sent to you. What is sent in assertion is/can be controlled at the IdP. Samly gives you control via Plug pipeline (customization section in the documentation) where you can map/transform the assertions to what your app needs.

@OvermindDL1 - Seems like Google Education Service (GES) usage at your college relies on Google as IdP. Is that correct? My understanding is that typically univs want to be the IdP and GES as SP.

Not really, the google side of stuff is pretty distinct from the other things, heck we just use normal Google OAuth (checking that it is part of our domain). They are looking to replace it sometime though.

Doesn’t this mean they are an IDP though or is that just a term that applies to the SAML world?

Ok, great. So I just deal with that on a case by case basis. Assuming that the institution doesn’t have enough data for me to distinguish an educator and student, I guess I could just base it off their username - assuming I keep a list of educators on my end…I don’t see any other way around that.

Having trawled through the LDAP directory of my local university before and observing that records are not always accurate, username might be the safest bet of all (and most simple/consistent to implement - assuming I can’t get the same SAML assertion from all providers).

Probably a SAML term, never heard it ever used nor documented here. ^.^;

I’ve started to have a play with both ueberauth and samly to see if I can get a strategy working for Ueberauth.

I also have another project which is using AWS identities. That might be another good fit for an UeberAuth strategy. From what I can see, one doesn’t exist already.

If you see smoke and fire on the horizon, something went wrong…

If the SAML IdP (Identity Provider) is setup with a non-transient “NameIDFormat”, you will be able to use the SAML assertion subject to identify the user. But, in general it is a good idea to have a config parameter to indicate which assertion attribute should be used to identify the signed in user in SP (Service Provider - your application).

As an SP application, you will have to make do with what you get in the SAML assertion upon authentication. It is possible for your to make role determinations such as “educator” or “student” based on certain attributes. But, more often than not, IT folks would want you to work with the roles they define and control for compliance reasons.

Additional clarification: Cloud service providers (such as google education service) allow a customer use their own IdP (identity provider authentication service) so that when someone is attempting to accessing these services, they would be redirected to the univ/college authentication system for example and redirect back to the GES application. That is what I had referred to earlier if that was not clear. But as @OvermindDL1 pointed out there are other possibilities as well on how this could be approached.

Right… which is why I am thinking of maintaining the list of uid’s per institution that have educator access. From my experience, the usernames hardly ever change (unless someone gets married) and the number of educators per institution is likely to remain fixed for at least 6 months of the year (semester). I don’t see it as a large administration hassle to update the list of educator usernames for an institution.

Yep, I agree. An option to determine which attribute is to be used is a good idea.

Without getting ahead of myself, I wonder how this would work with multiple institutions though. Say I finish writing my ueberauth-saml strategy and end up with two institutions on board who use different SAML IDPs, how would my application determine which IDP to validate against? Would it be best to use IP address range or something similar?

Currently with this approach, even if I provide an option to the strategy as to which attribute I should be using to identify the user, I can still only point it at the one IDP.

This implies that you are trying to make the role determination at your application (SP) level. I would recommend that you talk to potential customers before setting on this. As I mentioned earlier, the IT folks generally would want to control who has what role for compliance reasons. Typically this role information would be provided to you as part of the assertion you get.

Samly currently is targetted to work with a single IdP. FYI. The IdP metadata is provided to Samly using an XML file. (check the doc). This is speifically done to keep things simple from an adoption perspective. Supporting multiple IdPs means more bookkeeping/config handling etc.

True… Although maybe without too much config it could be done via URL (or maybe subdomain) in a similar fashion to this Ruby Library.

Anyhow… I feel like I have a solid enough plan now that I can forge ahead… cheers.