Single Sign On

Single Sign On is a method allowing the user to access to several application by logging only once.

NuFW provides an elegant and secure framework for building Single Sign On solutions. The principle is natural because it is the gateway, necessary cross point, which centralises and answers to authentication requests.

NuFW 0.7.1 introduces an option that permits to build a real-time authenticated connection tracking table : it’s a sort of Conntrack table where each entry contains IP parameters of the connection and the identity of user at the origin of this connection and the state of the connection. This table is stored in an SQL database (both MySQL and PostgreSQL are supported).

As a server (like Apache) knows about the IP parameters of the connections it receives, it can query the SQL database to find the corresponding entry for each connection. Mod_auth_nufw performs this exact task for Apache : lookup in the Nufw "conntrack" for the userID, and let Apache know this user is now identified (and authenticated). (The authorization task then lays on other Apache modules, and is just the classical process)

This gives the server the identity of the user who opened the connection. So the authentication of the user by the server is done and it’s fully transparent to the user. Thus, this principle allows to build complete Single Sign On systems where the key is a netfilter firewall using NuFW.