[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Experimental new Single Sign-on


 * New Single Sign-on now available

Fresh out of DebConf[1], I think that the experimental new Single
Sign-on system has reached a point where it is ready to be announced and

Here is how it works:

 1. Go to https://sso.debian.org/spkac/enroll/
 2. Login as usual with your Debian Web Password or Alioth credentials
 3. Click on "Get certificate"
 4. Visit websites.

that is it, nothing else is needed, from that point, when you visit any
sso-enabled site[3], you get a popup with the option of using the
certificate with them. If you do, the site can be sure that you are you.

Really, that is all: one click to add certificates to your browser, one
click to use them[4].

It is effectively like having a stored password that works on a lot of
sites, cannot be guessed, expires when you want and that can be globally

 * Deploying new sso-enabled sites

If you maintain any web service, be it deployed on debian.org machines
or anywhere else, and would like to be able to authenticate users with
sso.debian.org, you just need a 4 line configuration change in Apache
and a daily cron job to keep the Certificate Revocation List up to

If you deploy on debian.org machines, there will be a local copy of
everything you need kept up to date for you, so you do not even need the
cron job.

I think that this greatly lowers the requirements for creating new sites
that can work with the Debian Single Sign-on: anyone can just go ahead
and set one up, without coordination with sso.debian.org, without
needing to deal with shared secret tokens, without increasing the attack
surface for stealing passwords.

Seriously, now you can set up your blog so that any Debian Contributor
can post comments, and then you can complain to DAM if they misbehave :)

 * In case of problems

If you find something that does not work, please report bugs[6] and, if
you can, help fix them[7]: openssl and gnutls already have client
certificate support built in, and implementing client certificate
support in an HTTPS client is generally a simple matter of adding a
couple of calls to the https setup code[8].

More documentation is at [9].

If you find tips and tricks for your favourite browser, add them
to the wiki[a].

[1] After discussing the single signon situation at the oauth2 sprint at
    DebConf[2], Bernhard R. Link and me started working on a prototype
    replacement for sso.debian.org based on client certificates. I kept
    working on it after DebConf and I think that now we have a system
    that is quite ready to be used.
[2] https://wiki.debian.org/Sprints/2015/oauth2%20sprint%20@%20DebConf
[3] https://wiki.debian.org/DebianSingleSignOn#SSO-enabled_sites
[4] One click to bring the servers up and to the right ports bind them.
    In the Land of Debian where Free Software lies.
[5] https://wiki.debian.org/DebianSingleSignOn#Documentation_for_web_application_owners-1
[6] https://bugs.debian.org/797057
[7] https://bugs.debian.org/797066
[8] https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;att=1;filename=links-client-certs.patch;bug=797066
[9] https://wiki.debian.org/DebianSingleSignOn
[a] https://wiki.debian.org/DebianSingleSignOn#Browser_support

Yours and very excited,


GPG key: 4096R/E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>

Attachment: signature.asc
Description: Digital signature

Reply to: