CAS-Login using OmniLedger

The Center for Digital Trust is always searching for novel ways to decentralize control of users accounts so we don’t have to rely on a centralized structure that can be abused by administrators. Currently we have three kinds of services that we offer to our partners:

  1. A matrix.c4dt.org installation for internal discussions
  2. Our demo.c4dt.org demonstrators for testing by our partners
  3. A members-only page on the c4dt.org website

Because of GDPR and the size of our partners, we do not want to handle the access control ourselves, but delegate it to our partners. This menas that each of our partner has full control of the people they sign up and revoke from their user group. At C4DT we simply reference the partner as being a partner we trust and from whom we allow access from all their users.

All of this is controlled by a decentralized ledger, in our case OmniLedger. We use the Account Management developed by C4DT to enable the login service.

Central Authentication Service (CAS)

We chose CAS for our SSO solution as it is simpler than OAuth. Also, the service that needs authentication doesn’t need to be signed up to the IdP, which is OmniLedger in our case. Most services that need a login already support CAS. We used it successfully for Matrix and WordPress. Another service we’d like to try it out is Apache, to secure access to static webpages.

Setup

For both our matrix and our wordpress login we’re using this CAS login now. To make it work, it needs a setup-phase, that has to be done only once:

  1. Sign up admin users to OmniLedger
  2. Create a DARC for the login authorization
  3. Add new users and link them to the login-DARC
  4. Configure the CAS-login to trust the login-DARC

Login

The new users are added as described in Account Management and are autonomous. Once everything is signed up, here is how an authorized user logs in:

  1. The user goes to the login page of the service and clicks “SSO Login”
  2. She is redirected to the OmniLedger page and confirms the login
  3. A proof is created on OmniLedger and is sent back to the service
  4. The service verifies that the proof is correct and gets the user-information from the proof

If the user is not authorized, the 2nd step will already fail. Also, if an unauthorized user sends a wrong proof, it will be detected in step 3 and rejected.

How can I use it?

Think it sounds cool? There are at least two ways how you can try it out:

  1. Send us an email to byzcoin@listes.epfl.ch and we will send you an OmniLedger login with authorization to connect to our Matrix server
  2. Once you have an OmniLedger login, you can set up your own CAS login for the service, and report bugs/success stories

The code for the CAS verification is on github.