You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

CAS-SSO

From Wikitech-static
Revision as of 15:32, 12 March 2020 by imported>Muehlenhoff (Initial CAS docs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Our Web SSO infrastructure is built on Apereo CAS

When logging into a CAS-enabled website without an active SSO session you'll be redirected to the CAS login page (https://idp.wikimedia.org/login) The CAS service collects LDAP group memberships and makes them available to services for making authorisation choices. After authentication the users get redirected to the initiating service.

The authentication happens with your Wikimedia Developer Account name and the respective password. There's also be possibility to add a second factor using U2F, see below how to enable it. Once a user has an active session, no further login is needed. A session is currently valid for 24 hours (but we'll bump that soon).

The current SSO setup is targeted at SRE staff (both to collect more feedback and painpoints before a wider rollout and also because there can still be disruptive changes which we don't want to impose on less technical users. That's why a number of services with a significant amount of non-SRE users are currently only enabled via a separate Apache site (to not interfere with users authenticating against plain LDAP).

Which services are currently enabled?

Enabling U2F as a second factor

Apereo CAS supports U2F as a second factor. This is configured on a per-user opt in basis and configured via LDAP. Supported browsers are Chrome/Chromium, Firefox (ESR68 and later, ESR60 had some issues in tests, but it's EOLed anyway now) and Safari (13 and later).

All Yubikeys issued by OIT should be compatible. Onlykeys were also reported to work (https://phabricator.wikimedia.org/T242438)

To enable U2F as a second factor, run the following on mwmaint1002.eqiad.wmnet: 

sudo modify-mfa --enable UID

To disable U2F, use 

sudo modify-mfa --disable UID

UID is your shell username here (as that's what identifies your identity on the LDAP level), not the Wikimedia Developer Name). Once it's enabled, the next time you login, your token will be registered (Mid-term we'll have a proper identity management solution which will make registration on the shell obsolete.

Known issues / FAQ

  • The login (and service validation) take 10-15 seconds: That's unfortunately a known bug in the current 6.1.x version of Apereo CAS. It's tracked under https://phabricator.wikimedia.org/T246010 and there's a workaround of deploying CAS via Tomcat. That's something that we had been considering anyway (combined with a new approach to deploy CAS as .deb packages), but that will take a bit more time to get implemented. If anyone has further ideas to track down the issue, please get in touch!
Retrieved from "https://wikitech-static.wikimedia.org/w/index.php?title=CAS-SSO&oldid=436386"