Single Sign On (SSO)
Realize Single Sign On using Membrane as a Gateway to your Web Applications and Services.
Membrane API Gateway can perform access authorization for HTTP requests. For example, an existing LDAP server can be easily integrated and used for authentication.
The login Feature
Membrane is highly modular and can easily be adjusted to your needs. One such module is the login feature, realizing Single Sign On for Membrane.
The login feature performs two-factor authentication for improved security:
- Firstly the user enters a username and a password.
- Secondly the users enters a numeric token.
The session cookie should be secured by using SSL.
The login feature itself is, again, modular. This allows Membrane to fulfill a variety of requirements.
The two most important sub-modules of the login feature are
- the user data provider, for example an adapter talking to an LDAP server, and
- the token provider, a component generating or computing numeric tokens to be used in addition to the user's password.
Text Message "SMS" Tokens
One such token provider is the telekomSMSTokenProvider: After the user entered her correct password into a web form, it randomly chooses a six-digit numeric token and sends it via text message (German short message service "SMS") to the user's cell phone via Deutsche Telekom's mobile network.
The user then enters the token into a second web form. If the token entered matches the one generated, access is granted.
Of course, this works with cell phones from all standard mobile networks.
TOTP tokens aka RFC 6238 aka Google Authenticator
The tokens can alternatively be generated from a pre-shared secret and the current time. This method does not require a cell phone connection, but can be subject to credential theft.
For more detailed documentation, see the login reference.