Documentation
Support
Downloads
Links

www.inl.fr

Single Sign On

Single Sign On with total security

NuFW provides an elegant and secure framework for building Single Sign On solutions. The principle is natural because it is the gateway, necessary cross point, which centralises and answers to authentication requests.

SSO principle

NuFW 0.7.1 introduces an option that permits to build a real-time authenticated connection tracking table : it’s a sort of Conntrack table where each entry contains IP parameters of the connection and the identity of user at the origin of this connection and the state of the connection. This table is stored in an SQL database (both MySQL and PostgreSQL are supported).

As a server (like Apache) knows about the IP parameters of the connections it receives, it can query the SQL database to find the corresponding entry for each connection. Mod_auth_nufw performs this exact task for Apache : lookup in the Nufw "conntrack" for the userID, and let Apache know this user is now identified (and authenticated). (The authorization task then lays on other Apache modules, and is just the classical process)

This gives the server the identity of the user who opened the connection. So the authentication of the user by the server is done and it’s fully transparent to the user. Thus, this principle allows to build complete Single Sign On systems where the key is a netfilter firewall using NuFW.

SSO description

The following sheme describes the NuFW SSO framework :

Client part is omitted from the sheme for clarity.

  1. User, named A, send a packet to the server. The gateway stops it.
  2. The gateway verify authorisation against the LDAP directory.
  3. If the packet is authorized, the gateway fill the authenticated connections tracking table in the SQL database.
  4. The gateway transmits the packet to the server.
  5. The server knows IP parameter of the connection, it wants to authenticate. Thus it asks to the SQL database who is the responsible user.
  6. Knowing the user, it sends its answer.
  7. The gateway sends back the packet to user A who is know authenticated on the server.

A trustworthy method

The used method is proven : The connection is arrived to the server after that user has proved to the NuFW system that he was responsible of it. Contrarly to other solutions, there is any approximation on authentication et the classical, but unfaithful assimilation between IP and users is naturally not done here.

Simplicity on server side

On the server side, authentication is limited to :

  1. get IP coordinates of the connection
  2. perform a SELECT SQL query on the database.

Implementation is thus very easy and does not lay on any dependency between the applications needing authentication.