RubyConf 2007: Ruby and Identity: OpenID, CAS and Information Card

Justin Gehtland is the president of Relevance.

There will be twelve slides and then we're going to code.

1. rails myapp (camping, whatever)
   
2. ruby script/plugin install acts_as_authenticated
   
3. There is not step 3!

This leads to redundant implementations, no shared authentication, and comingled storage (sensitive and non-sensitive data in the same place).

What do you get for giving $2 million to RSA? Someone to sue.

Two types of central authentication: private and public. The difference? Trust.

OpenId (public)

• free, open central id
• vendor-supported, but not controlled

ruby-openid has dependencies on

• net transports
• yadis (openid + directory service)

CAS (private)

• central authentication service
• foss
• java-based

rubycas-client and rubycas-server

What about

• LDAP?
• NTLM?
• Commercial SSOs?

Ruby has bindings for these (ActiveLDAP, rldap, ...).

OpenID demo.

Caveat: the shipping openid plugin returns :false (the symbol), if the user is not logged in.

This is all authentication. NEVER punt authorization rules to a third-party server. They are coupled to the domain or application.

CAS demo.

You need a certificate to run the server. All traffic to a single sign-on must go over SSL.

rubycas-server is done in camping.

Biggest problem he has seen in rails shops is domain explosion. Example: a notes application is released and now the business people want a memo application, but you can't make a separate application because that would necessitate multiple logins.

CAS uses ssl for everything, except token generation: "#{Time.now.to_i}r%X" % rand(10**32)