Presentation is loading. Please wait.

Presentation is loading. Please wait.

Central Authentication Service Roadmap JA-SIG Winter 2004.

Similar presentations


Presentation on theme: "Central Authentication Service Roadmap JA-SIG Winter 2004."— Presentation transcript:

1 Central Authentication Service Roadmap JA-SIG Winter 2004

2 A new CAS Presentation What is CAS? (Enterprise Single Sign On) What is CAS? (Enterprise Single Sign On) Whats new with CAS? (new CAS Java Client) Whats new with CAS? (new CAS Java Client) Whats using CAS? (Acegi) Whats using CAS? (Acegi) Where is CAS going? (Roadmap) Where is CAS going? (Roadmap) Resources? Resources?

3 What is CAS? Enterprise Web Single-sign-on Enterprise Web Single-sign-on Your users authenticate to CAS Your users authenticate to CAS Only CAS sees user passwords Only CAS sees user passwords Your applications receive assurance of authentication from CAS Your applications receive assurance of authentication from CAS

4 CAS as Trusted CAS is the Trusted Intermediary CAS is the Trusted Intermediary

5 The Bad Old Days

6 Log in to each application Application AApplication B Application C Application D Application EApplication F

7 Examples Were going to walk through two examples demonstrating CASs features. Were going to walk through two examples demonstrating CASs features.

8 Example: Network registration Welcome to Our University Network Registration. First, you need to log in:

9 CAS Login

10 CAS redirects back to application Places ticket=ABCDEFG123 on the request Places ticket=ABCDEFG123 on the request

11 Application receives ticket Validates ticket with CAS server Validates ticket with CAS server awp9 awp9

12 Okay, user is authenticated Notice: The user didnt give her password to the application itself. Notice: The user didnt give her password to the application itself.

13 CAS Vocabulary Ticket – its longish random String. Ticket – its longish random String. Ticket Granting Ticket / Ticket Granting Cookie – a CAS session identifier Ticket Granting Ticket / Ticket Granting Cookie – a CAS session identifier Service Ticket Service Ticket Proxy Granting Ticket Proxy Granting Ticket Proxy Ticket Proxy Ticket

14 Example 2: uPortal & SSO Great, weve authenticated. Now lets visit our uPortal: Great, weve authenticated. Now lets visit our uPortal:

15 CAS does not display Reads the secure cookie from the browser session. Reads the secure cookie from the browser session. Single sign on. Single sign on. Redirects back to uPortal with the ticket. Redirects back to uPortal with the ticket.

16 uPortal validates the ticket And requests a Proxy Granting Ticket. And requests a Proxy Granting Ticket.

17 Authenticated to uPortal

18 Proxying to get my mail uPortal uses PGT to get PT for mail XML service, requests mail XML service uPortal uses PGT to get PT for mail XML service, requests mail XML service Mail XML service receives PT, validates it, and gets a PGT. Mail XML service receives PT, validates it, and gets a PGT. Mail XML service gets PT for IMAP server, presents to IMAP server. Mail XML service gets PT for IMAP server, presents to IMAP server. IMAP server delegates to PAM_CAS to validate the PT. IMAP server delegates to PAM_CAS to validate the PT.

19 The result

20 Recent Email Channel Email Servlet uPortal IMAP Server XML CAS PGT PT NetID IMAP session S PT NetID ProxyIDs

21 What is CAS? CAS is web SSO. CAS is web SSO. CAS is a concrete (Java Servlets) implementation. CAS is a concrete (Java Servlets) implementation. CAS is a constellation of client libraries, including PAM, Apache modules, Java.jars, php, perl, … CAS is a constellation of client libraries, including PAM, Apache modules, Java.jars, php, perl, …

22 Whats new? CAS Java Client Version 2.1.0 Version 2.1.0

23 CASFilter CAS Java Servlet Filter CAS Java Servlet Filter Renew and Gateway features Renew and Gateway features Optionally set the remoteUser Optionally set the remoteUser Allows multiple authorized proxies Allows multiple authorized proxies

24 CASReceipt CASReceipt represents results from CAS authentication CASReceipt represents results from CAS authentication Exposed in the session by CASFilter Exposed in the session by CASFilter

25 Filter Composition Subsequent filters can examine the results of CAS authentication: Subsequent filters can examine the results of CAS authentication: ProxyChainScrutinizerFilter ProxyChainScrutinizerFilter

26 Commons logging CAS Java Client 2.1.x CAS Java Client 2.1.x

27 uPortal: YaleCASFilteredContext Use CASValidateFilter to accomplish the actual ticket validation – YaleCASFilteredContext just consumes the CASReceipt. Use CASValidateFilter to accomplish the actual ticket validation – YaleCASFilteredContext just consumes the CASReceipt.

28 The approach CASFilter Additional filtering Your application

29 Whats new: Acegi

30 Acegi is an authentication/authorization framework that works well with Spring Acegi is an authentication/authorization framework that works well with Spring It supports CAS for enterprise single sign on It supports CAS for enterprise single sign on A layer of abstraction beyond the CAS Java Client. A layer of abstraction beyond the CAS Java Client.

31 Roadmap Where is CAS going? Where is CAS going? Formalization of CAS protocol Formalization of CAS protocol SAML as the language for CAS requests and responses SAML as the language for CAS requests and responses Interface-rich, more pluggable server implementation Interface-rich, more pluggable server implementation

32 Formalization of CAS protocol Before CAS can be re-implemented, we need a formal specification of exactly what protocol it implemented the first time. Before CAS can be re-implemented, we need a formal specification of exactly what protocol it implemented the first time.

33 SAML CAS 2.0 uses ad-hoc XML. This was simple, worked well. CAS 2.0 uses ad-hoc XML. This was simple, worked well. CAS 3.0 will additionally support SAML. More complex, but more standards compliant. CAS 3.0 will additionally support SAML. More complex, but more standards compliant. CAS as the authentication piece in a Shibboleth installation. CAS as the authentication piece in a Shibboleth installation.

34 Assertions CAS SAML assertions of who logged in how when CAS SAML assertions of who logged in how when Attribute assertions Attribute assertions PGTs are attributes? PGTs are attributes? Details not yet fully defined Details not yet fully defined

35 Attribute assertions Common use case: now that youve authenticated your user, you want some attributes Common use case: now that youve authenticated your user, you want some attributes SAML language allows us to assert attributes other than the user name at ticket validation SAML language allows us to assert attributes other than the user name at ticket validation

36 SSL callback and client certs CAS uses an https: callback to authenticate the service CAS uses an https: callback to authenticate the service Signed SAML requests provide us an alternative Signed SAML requests provide us an alternative

37 Interface-rich, more pluggable Old model: you download CAS and then hack away at it to make it meet your needs. Old model: you download CAS and then hack away at it to make it meet your needs. New model: you plug in local changes at well-defined extension points New model: you plug in local changes at well-defined extension points

38 Load Balancing CAS Why not to do this Why not to do this Default: ticket store backed by in-memory cache Default: ticket store backed by in-memory cache Possible: ticket store backed by RDBMS Possible: ticket store backed by RDBMS Possible: ticket store backed by [pick your favorite cache implementation] Possible: ticket store backed by [pick your favorite cache implementation]

39 Whitelisting services Why not to do this Why not to do this Possible: impose whitelist at ticket validation layer Possible: impose whitelist at ticket validation layer

40 Authentication itself CAS PasswordHandlers CAS PasswordHandlers CasGenericHandler – more ad-hoc XML confguration CasGenericHandler – more ad-hoc XML confguration Instead wire together using Spring Instead wire together using Spring

41 Single Sign Out Why not to do this Why not to do this But if were going to do this, lets at least make it easier to maintain the local mod But if were going to do this, lets at least make it easier to maintain the local mod Or maybe an optional aspect of the protocol – standardize without requiring Or maybe an optional aspect of the protocol – standardize without requiring

42 Extension points? Others? Others?

43 Rutgers and their fine work

44 Resources New CAS documentation (Wiki) New CAS documentation (Wiki) Active mailing list Active mailing list The larger CAS community The larger CAS community

45 Contact information http://www.yale.edu/its/tp/ http://www.yale.edu/its/tp/ http://www.yale.edu/its/tp/ andrew.petro@yale.edu andrew.petro@yale.edu andrew.petro@yale.edu drew.mazurek@yale.edu drew.mazurek@yale.edurew.mazurek@yale.edu cas@tp.its.yale.edu cas@tp.its.yale.edu


Download ppt "Central Authentication Service Roadmap JA-SIG Winter 2004."

Similar presentations


Ads by Google