At work I’ve been doing a ton of Single Sign On, SAML, and certificate based authentication. I wanted to try that out for my own personal use. It turned out to be much easier than I expected.
I’ve already blogged here about updating my site certificates using StartCom SSL. Another free service they offer is an OpenID Connect certificate.
The process is actually pretty straight forward.
To get started with StartCom in the first place you have to download a client side certificate into your web browser. This is a file that you must keep on your computer and must protect. When your web browser connects to StartCom services it presents this certificate and says “Here I am”. Since you should be the only person with that certificate StartCom can say “OK, come on in”.
This is nice because you don’t have to remember a username and password. The downside is that you have to keep this certificate handy to load it onto each machine you connect from. An encrypted USB key can be handy for this. You have to figure out how to make your Operating System and Browser combination present this certificate as an identity cert. Often this is an advanced setting in the browser that allows you to import an Identity Certificate.
OpenID Connect takes this to the next step.
StartCom knows who I am and knows my certificate. As a provider of web services (bbbburns.com WordPress) I can make the decision to allow in certain users that an OpenID provider has authenticated. I downloaded the WordPress OpenID plugin, and tied my ID of bbbburns.startssl.com to my WordPress account.
When I login to my own WordPress site now I can just type in “bbbburns.startssl.com” as the user and hit Login. The site redirects me to startssl.com for authentication using my client certificate. If successful, I get redirected back to bbbburns.com with an authentication assertion. Since bbbburns.startssl.com is tied to my WordPress account on the server I’m automatically logged in as this user.
The setup for all of this took just a few minutes!
Comments
2 responses to “OpenID Connect”
Burns,
cert-based authentication systems are pretty convenient, but it’s pretty easy to steal, intercept, collect, or otherwise harvest certificates. There are a couple families of malware that inject into web browsers so that they can grab these kinds of certs (which conveniently presents the service and URL info) and some that plunder the certificate store to the same effect albeit different processes. My second factor has to be physical – if it ain’t something I “possess” in the most literal sense I just don’t trust it.
Devon,
I’ve had this same thought myself and it’s why I’ve been doing deployments lately with a physical CAC card. I haven’t reached the point where I’m using this in my own PERSONAL life, but the US Govt is certainly using it everywhere possible.
I wonder if the tech will ever go main stream. The YubiKey is one solution but I haven’t investigated too closely.