Integrating CA Technologies Single Sign-On and Shibboleth with your web app by using the magic of Varnish and VCL
In my work, being in contact with customers as well as system administrators, I get to see a wide range of different challenges and spend time discussing different ways that Varnish can solve a variety of problems across industries and sectors. With time I will discuss the many more ways that the flexibility and power of VCL can be harnessed and adapted.
But to begin, I’d like to illustrate how universities have used Varnish as an integration point at the cache level as part of their single sign-on solutions.
SSO SOS: The single sign-on dilemma
Okay, maybe single sign-on is not a dilemma. But single sign-on (SSO) technology is something most companies and institutions use to simplify access control and rights to multiple, independent software systems and sites. Yes, the SSO is meant to simplify the end-user experience. But the moderate “dilemma” is figuring out how to implement a smoothly functioning SSO. The magic happens behind the scenes, making the experience for the user seamless across sites in related web properties.
Like a one-stop shop...
The SSO question has been answered in some cases, particularly in the private sector. But where we see a number of institutions struggle is in the education sector. Universities and colleges, often bound by the requirement to seek open-source software solutions that offer professional support, own web properties (even layers and sub-layers of web properties), all of which may have different needs in terms of user access rights and authentication. In our travels and discussions, we have met many university system administrators who have struggled with this very problem.
How can a university’s wide array of sites and content be restricted to authorized-access only across a student body, faculty and potentially other parties - while also ensuring content availability?
Today most universities use CA Single Sign-On and/or the open-source, standards-based Shibboleth (common to universities) to administer their single sign-on solutions. Most universities have hundreds, if not tens of thousands of students, and hundreds of URLs, all of which require different levels of access control and identity authentication. Single sign-on mechanisms must work to interpret and store credentials to ensure the right access to different applications, sites, portals, CMS systems, content and resources based on an initial single credential. Many tools can, in conjunction, deliver at least this much fairly seamlessly.
The answer: a consolidated, flexible and speedy single URL space
Unified access is needed at the same time as needing to cache content at scale, e.g. if 10,000 users suddenly want to access the same content at the same time? Even when a huge access crunch is predictable, there must be an integration layer in the middle that won’t break when such rushes occur
We’ve already established that many different portals and sites require varying levels of restricted access. A check needs to be performed again and again to authorize, authenticate and serve the same stuff. This can be a complicated problem when trying to combine Shibboleth and CA SSO across different web content systems. But this is a fairly easy issue to solve using Varnish caching content in front of any collection of web content systems with the right setup. Besides configuring your SSO system to allow for an external proxy, you can cache anonymous content and pass your traffic to any backend in cases where content cannot and should not be cached. For that the only thing you need to do is to use VCL magic and let your traffic do the dance with Varnish, your Drupal, WordPress or any CMS, CA SSO and Shibboleth.
In my next blog post, we will look how you can leverage caching for access controlled content combined with SSO integration by using Varnish Paywall components.
Meanwhile, you can learn more about and sign up for the Varnish Plus for Academia offer that is designed to meet the specific challenges universities and academic organizations face in delivering and administering all kinds of digital content.
Photo(c) 2013 Nuclear Regulatory Commission used under Creative Commons license.