Ueberauth, Ruby CAS and other SSO options for Elixir or Phoenix

When I researched Elixir earlier this year, I was told that there wasn’t a CAS server app for it similar to Ruby CAS. Someone today told me that they think Ueberauth is an implementation of CAS for Elixir. Is this correct? The appeal of CAS (and Ruby CAS) is I’ve read that CAS handles OpenID Connect (and also Oauth2 since OpenID Connect is built on Oauth2), and SAML, and offers other benefits. If Ueber is an implementation of CAS, does it implement all aspects of CAS or … which things does it not? If it’s not an implementation of CAS, what features/benefits of CAS does it have and what does it lack?

We are a nonprofit looking for a solution for SSO on multiple Elixir websites/apps that automatically recognizes and logs in users to all our sites if they’ve logged into any one of the sites. We’d ideally like to allow people to register using their social media accounts; and would like maximum flexibility going forward such as being able to integrate with outside services like Salesforce, allowing third-party partner users to ping the APIs of some of our websites and being able to integrate with our own non-Elixir apps.

We’re in the process of choosing a developer to implement a solution and the applicants are recommending different solutions (some Ueber, some Ruby CAS, one Jasig CAS, etc.) I’m having a tough time deciding which approach to go with. Has anyone used Ueber for SSO on multiple Elixir websites/apps and how time consuming was it to do and how bug-free was it? Has anyone used Ruby CAS recently and how bug free was it? Would appreciate input on any aspects of Ueber, CAS or other solutions.

1 Like

Ueberauth is an pluggable API to handle authentication. There are a whole host of plugins for it to handle everything from Facebook, Google, and a ton of others, but by itself it does little. If you can find the plugins for what you want then that works, or you can make them (not at all hard, I made an LDAP one). :slight_smile:

Thanks. Are there any features or benefits that CAS (whether RubyCAS or CASino or Jasig) has that Ueberauth doesn’t have? In other words, is it easy to write plug-ins to do all of the things that CAS does that Ueberauth and its existing plugins don’t do, or is there something that would be somewhat time-consuming to write for Ueberauth?

Is there any reason to go with CAS over Ueberauth … such as does CAS perform faster, or handle high loads better?

Ueberauth is great at what it does, which is handle the initial oath authentication. That’s it’s only goal so it doesn’t offer to handle your sessions, yet alone do any kind sort of single sign on.

I did evaluate Ruby CAS years ago when looking at a single sign on solution for someone. I found the whole thing a bit over complicated but haven’t actually used it so could be wrong. It’s not being maintained either which is alarming.

More recently I was looking for a lighter approach to SSO and found a sass offering from Auth0 https://auth0.com/docs/sso/current. This looked practical for at least doing a quick prototype and assessing how it would all work.

1 Like

Thanks. So is there anything in Elixir that does SSO? I’ve read several people say CASino is better than RubyCAS because it has a cleaner codebase, has more features and is better maintained, so if we do a Ruby-based CAS, we’d probably use CASino. Has anyone used CASinfo for doing SSO recently for either Rails websites or Elixir websites, and how updated and bug free was it?

I found this list of strategies for ueberauth - https://github.com/ueberauth/ueberauth/wiki/List-of-Strategies. Someone has written an ueberauth strategy for CAS and tested it on CASino https://github.com/marceldegraaf/ueberauth_cas. I’m wondering: if a company was going to have a CAS server such as CASino or Ruby CAS, why would they want to use something like ueberauth in tandem with CAS - instead of just using the CAS? What does ueberauth add to the mix that CAS doesn’t do?

I think you’re missing the distinction between CAS server and CAS client. The ueberauth strategy is an implementation of a CAS client. So you can login to your elixir app by signing in at your CAS server. The server might be running casino or any other CAS server implementation. Ueberauth will never provide a CAS server implementation. At most it might be used as part of a CAS server implementation to authenticate users against further 3rd party services, like e.g. twitter or google.

1 Like

Good clarification. I’ve read that OpenID Connect (which is built on Oauth2 and adds a lot of features to it) handles a large range of authentication and does SSO, so I’m wondering what people think of that as a solution for doing SSO for a large group of Elixir websites? It seems like there are 2 levels of OpenID Connect: 1) you use it for SSO, but users can only register an account via existing ID providers; 2) you use it for SSO, and users can join you via existing ID providers, but they can also register an account directly with you, whereby you’d in essence be an IDP.

How would implementing OpenID Connect for a large group of Elixir websites compare to using a Ruby-based CAS like CASino for things like reliability, time needed to set up, performance and flexibility/range of features?

I recently located this in Elixir named Shield though it looks like it only handles OAuth2 and it doesn’t handle OpenID Connect and the many features that OpenID Connect provides such as SSO -https://github.com/mustafaturan/shield. Is there anything in Elixir that handles OpenID Connect? I’m being told it’s much better to use a native approach to authentication and authorization for a group of related Elixir websites rather than to use an outside language such as Ruby. Is there anything in Elixir that handles full SSO?

Hi @Greater_Good !

I came across your post whilst looking into Elixir and SSO. My team and I created a product called NiceIdP (https://niceidp.com) which provides pain-free IAM - user registration, SSO, SLO, social registration/authentication, 2FA etc. NiceIdP takes less than 15 minutes to setup.

NiceIdP supports OpenID Connect, SAML2 and as you might be aware this forum uses “Discourse” - NiceIdP also supports Discourse’s proprietary SSO protocol. With one sign in event, a user can access a variety of services that use OIDC, SAML2 and Discourse.

We have been using NiceIdP internally for quite some time and we are working on creating examples / guides now for a range of languages and frameworks.

If you are interested, perhaps you could try installing NiceIdP and using it with a library such as https://github.com/mytardis/ueberauth_edm ? We would be happy to hear from you and help if we can, feel free to contact me via https://niceidp.com

Best regards,

Adrian

I have also been investigating the possibilities for using OpenID Connect in a Phoenix project. The best Elixir library I have found so far is Shield, as @Greater_Good also mentioned above. Unfortunately, that library does not seem to be actively maintained, and it has some critical open issues.

Luckily, there exists a Certified OpenID Connect Implementation for Erlang, called oidcc. This library seems to be more robust and actively maintained. OpenID Connect itself is also extensively documented on their website, where they also provide two implementer’s guides.

Since Elixir can leverage Erlang libraries, I’m considering to use oidcc directly, perhaps creating some abstractions of my own as necessary, using the official OpenID documentation as a guide.

Update: Yeah… I did some more testing and reading today, and managed to get a rudimentary Phoenix app up and running with the aforementioned Erlang oidcc library. Now I know how much I don’t know. It doesn’t seem like oidcc does what I thought it does. As far as I understand, it’s a server-side library, not a client library, and so it doesn’t perform the desired “OAuth Dance” (Authorization Code strategy needed for Azure AD) with token verification, etc. So, I’ll probably be using oauth2 instead, possibly guardian or ueberauth. But first, I’ve got some more reading to do…

1 Like

Guardian is a token library, don’t touch it. You probably want Ueberauth with one of it’s strategies.

1 Like