More Google Apps Single Sign On Love - Pivotal Tracker, Graphite, Nagios, and Confluence
One of the many things we've discovered as we've grown the engineering team at Hearsay Social is how annoying the proliferation of logins gets as we bring on new people. We use Google Apps for our email & calendaring, Pivotal Tracker for our backlog, Nagios for our monitoring, Hudson for continuous integration, Confluence for our wiki, Graphite for real-time metrics, Sauce Labs for Selenium testing, Zendesk to handle our support, and GitHub as the keeper of our code. Every time we bring on a new engineer--something we're trying to do as often as possible these days!--we have to create N new logins.
What's more, we've found that people don't use the systems as often when they're unsure of how they're supposed to log in. "Is it my email, or my username, or my name, or something I forgot about? Oh well, I'll just check it later."
Or, we could use just one! As Roger explained so nicely in his last post, integrating Single Sign On (SSO) for Hudson/Jenkins isn't as hard as it seems. Since we've invested a bunch of time making it work seamlessly for the rest of our infrastructure, I figured we should explain how.
Confluence, unfortunately, prefers to use Crowd as its SSO solution...but even that didn't appear to handle our case nicely, and it's another few thousand dollars. Yuck. Happily, Confluence exposes a generic Authenticator class that you can use to detect and redirect to Google Apps for OpenId. @rbm and I dusted off our Java skillz late one Friday night and hacked this out--as soon as we have a chance to clean it up a bit, we'll open source it.
Pivotal Tracker is the opposite end of the spectrum--just install the app from the Google Apps marketplace, and you're good to go. Unfortunately, they make you enter your domain each time you log in (so that they know where to redirect you to sign in via OpenID).
To make things easier, Dale threw together a simple Apache virtualhost with mod_rewrite that will take requests to a subdomain (in this case, https://pivotal.example.com) and redirect them to Pivotal's landing page with the form submission...this runs on a utility server and makes our lives just a bit easier.
ServerName pivotal.example.com KeepAlive Off RewriteEngine On RewriteRule ^(.*)$ https://www.pivotaltracker.com/google_domain_openid/redirect_for_auth/google_domain_signin_form?method=get&domain=example.com [R=301,L]
Nagios & Graphite
These were the fun ones. Both are secured behind our VPN, but we still want some sort of credentials to access them, and Apache basic auth is just not cool. So we set off to find a way to integrate Apache authentication with Google Apps, and sure enough, it's been https://github.com/epotocko/apache-google-apps-sso">done! Long story short, you need:
- memcached and libmemcache
- auth_mem_cookie (note that for the versions I was using, I had to recompile libmemcache without inline directives in order for auth_mem_cookie to link against a couple of specific methods...I haven't yet had time to submit a patch)
- and apache-google-apps-sso
What you basically end up doing is setting up your Apache vhost to protect everything but /auth/ with auth_mem_cookie (which looks for a cookie to validate your session against memcached), and then setting up a PHP script in /auth/ to redirect users to Google Apps OpenID endpoint and back to you. Upon successfully validating the Google Apps OpenID response, the PHP script sets the expected cookie (and stores the session in memcached), and then you're able to access the rest of the vhost as expected.
Zendesk provides a nice single sign on API to implement against--so that you and your end-users can sign on seamlessly from your app, instead of needing another account. They do a great job of describing it, so we'll leave it at that.
Unfortunately, our friends at Sauce Labs, Github, & Newton (you know who I'm talking about, Joel!) haven't exposed SSO APIs or endpoints yet, although I have a feeling we could at least fake it with a form submission for Sauce Labs since it's a shared account (note to self...and John Dunham if you're reading this). But soon!
blog comments powered by Disqus