Castronaut -- SSO, The Big Unit and a Fedora

I'd like to introduce you to another Relevance open source project, Castronaut. Attentive readers will have noticed our focus on security issues, from code audits to books to restful authentication to SSO and on. We've used lots of different centralized authentication systems in the past, and have really settled on two options: OpenID and CAS. OpenID is great for public sites where the user pool is self-expanding; CAS is great for closed sites where the user pool is despotically maintained. (The reasons to choose between an open, decentralized protocol and an internal, managed one are many; this is just one simple vector).

In the past, we've used the original JA-SIG Java version of CAS, as well as the more recent RubyCas Server. In the end, we decided to write our own. The major reasons are:

  • we need a non-Java based solution. Some of our clients simply won't allow JVM-based software in their systems.
  • we need a solution that is based on the MIT license, not the GPL (or LGPL, for that matter).
  • we need a solution that is testable and tested.
  • we need a way to create a project that has the word "Castro" in it.

We couldn't get that combination with any of the existing projects, so we launched Castronaut into orbit. Here's some things you'll need to know.

h2. Built on Sinatra

We stuck with Ruby for the implementation. Duh. However, we wanted to implement it in something lighter than Rails (and Merb) but needed more than Camping provided. We also wanted a testable and well-tested solution. Camping failed the sniff test because it isn't well-tested, nor particularly testable. Sinatra, being a thin wrapper around Rack, is well tested, current and has lots of eyes on it.

h2. Uses standard adapter architecture

Like any good authentication application, we provide a standard adapter architecture for our authentication providers. Right now, we are shipping with:

  • restful_authentication, which can be pointed at any data schema that restful_authentication itself can use.
  • ldap, with upcoming pre-authenticated ldap and active directory
  • development, which uses unencrypted credentials, for easy testing and experimenting

We built this to solve particular needs. We fully expect it to grow over time, as our needs and, hopefully, the needs of other users dictate. It is specifically this need to grow and change that led us to create Castronaut in the first place.

h2. CAS 2.0 Spec compliance

We support all the major portions of the CAS 2.0 spec except proxy granting ticket IOUs. Which means we support ticket granting tickets, service tickets, proxy granting tickets and proxy tickets. Castronaut therefore allows for centralized authentication, single sign-on, and pass-through service authentication. We'll tackle the IOU problem the first time we have a real-world usage for it. Feel free to provide us one.

h2. Updated Small Things, Loosely Joined code samples

You can download a new set of the samples from my Small Things, Loosely Joined talk that use Castronaut. The only difference is the use of restful_authentication for the included apps and a small change to the rubycas-client configuration settings.

h2. So, what's next?

Installation is a snap, and well documented. You can install as a gem using:

  > sudo gem install relevance-castronaut --source http://gems.github.com

Edit a config YAML file somewhere, and launch:

  > castronaut -C [path-to-yml-file]

That's it. We hope people will use it and give us feedback at our Lighthouse page.

Get In Touch