Whether you're developing public-facing web apps or deploying behind
the corporate firewall, the days of identity silos are over. Social
auth (*log in with FooBookHub*) and federated identity (*SAML*,
*OpenID Connect* and friends) are the new normal. The advantages
are clear: developers and operators have less security-sensitive
code to write and deploy, while users experience less password/account fatigue, and
enjoy improved productivity through *single sign-on*.

But there's no such thing as a free lunch; like most things in technology there are
trade-offs. Federated authentication protocols are inherently more
elaborate than plain old passwords; more moving parts means more
complex deployment and more points of failure. Fortunately there are
tools to ease the burden and smooth the process of securing your applications.

In this extended session for web developers and
administrators/operations folks, attendees will learn and experience
how to deploy and use federated auth, end-to-end from the identity
provider to the app. The session will cover:

- The basics of federated authentication including **protocol
overviews** and comparisons.

- How to use **social auth** providers for public-facing
applications, allowing users to log in with an account they
already have.

- How to leverage accounts in centralised identity management
systems (*FreeIPA*, *Active Directory*, *LDAP*, etc) for **single
sign-on** in an organisation.

- How **identity brokers** like *Keycloak* make it easy to use a
variety of external authentication providers, and provide a
consistent user experience across multiple applications.

- How to use external identities in your applications with the help
of your web server, focusing in particlar on popular **Python web
frameworks** and Apache (though the principles are more widely
applicable).

- **Security** characteristics, and discussion of some challenging
scenarios including testing, account merging and single sign-out.