We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byCameron Mossop
Modified about 1 year ago
Approaches and challenges for a SSO enabled extranet using Jasig CAS Florian Holzschuher René Peinl10.09.2013
Research group “systems integration”2© Prof. Dr. René Peinl iisys - Institut für Informationssysteme Analytical Information Systems Jörg Scheidt Multimedia Information Systems Richard Göbel Information Management Thomas Schaller Systems Integration René Peinl Managing Director Claus Atzenbeck Research Application Mission: „The institute is a competence centre for the application of information systems in companies. It is the bridge between international research and development and actual application in companies.“
Research group “systems integration”3© Prof. Dr. René Peinl Agenda Environment for Open Source SSO SSO scenarios -Intranet, Extranet, Cloud SSO protocols -Kerberos, SAML, OAuth, … SSO solutions -Shibboleth, CAS, JOSSO, … SSO experiences with CAS Conclusion
Research group “systems integration”4© Prof. Dr. René Peinl Environment for Open Source SSO Desktop -Windows still market leader with ~ 90% share Mobile -Chrome for Android similar capabilities like Desktop Chrome Server -Microsoft Active Directory is prevalent even in OSS environments SSO for all Microsoft products out of the box (NTLM, Kerberos) -OSS server-side applications mostly only with LDAP -SSO solution for OSS applications is needed
Research group “systems integration”5© Prof. Dr. René Peinl SSO scenarios Intranet -Everything under control, can be a homogenous landscape Extranet -Reverse Proxy, two URLs, firewalls, less control over clients Cloud SaaS, esp. hybrid cloud -Maybe without reverse proxy, instead load balancing, caching, geo replication -Upload of user accounts -SSO solution should be integrated with usage monitoring
Research group “systems integration”6© Prof. Dr. René Peinl SSO protocols Windows environments -NTLM -Kerberos Web Service environments -SAML -XACML Web 2.0 environments -OpenID -OAuth -OpenID connect
Research group “systems integration”7© Prof. Dr. René Peinl Open Source SSO solutions Shibboleth -Internet 2 consortium, federated scenarios, Web Services, SAML Jasig CAS (Central Authentication Service) -Uses own SSO protocol, but supports standards as well Atricore JOSSO -Java-based, but with.NET and PHP support, graphical SSO definition Forgerock OpenAM -Successor of the Sun Identity Manager WSO2 Identity Server -Plays nicely together with the remaining WSO2 infrastructure
Research group “systems integration”8© Prof. Dr. René Peinl Comparison of Open Source SSO Jasig CAS Atricore JOSSO WSO2 Id Server Forgerock Open AM Latest version3.5.2 (22.02.13) 2.3.0 (31.08.12) 4.1.0 (11.02.13) 10.1.0 (20.02.13) LicenseJasigs own open source license LGPLAPL v2CDDL 1.0 ProtocolsCAS, OAuth, OpenID, SAML, Kerberos SAML, NTLMOAuth, OpenID, XACML, SAML, … (18+), OAuth, SAML, Kerberos Authentication backends JAAS, LDAP, AD, Radius, JDBC, X.509, Negotiate (Kerberos) JAAS, LDAP JDBC, two factor auth with WiKID, X.509 LDAP, AD, JDBC, Cassandra LDAP, AD, two- factor auth with HOTP, Negotiate (Kerberos) RuntimesTomcat or other Servlet 2.4 container JBoss, Tomcat, Websphere, Geronimo, Jetty WSO2 Carbon server Tomcat, JBoss AgentsSpring, MS IIS, JEE, Apache 2.2, PHP, PAM Apache 2.2, PHP 4+, MS IIS, Liferay, Alfresco, phpBB, Spring, Coldfusion None foundApache 2.4, MS IIS, Sun Web Srv, JBoss, Glassfish, Tomcat, Web Logic Websphere,
Research group “systems integration”9© Prof. Dr. René Peinl Test scenario www.dein-weg-in-die-cloud.de
Research group “systems integration”10© Prof. Dr. René Peinl Experiences with CAS in an extranet Single sign-on is working relatively well, single sign-out does not AJP solves most reverse proxy problems, but not all. Especially AJAX calls cause trouble Authentication on the reverse proxy instead of the application doesn't make a notable difference Local administrative accounts have to be prepared for SSO Fallback solution with an option to opt-out of SSO and use a manual local login would be desirable image source: www.empowernetwork.com/thorsband/basic-computer-troubleshooting-tips/
Research group “systems integration”11© Prof. Dr. René Peinl Experiences with CAS in an extranet #2 Inclusion of Apache Rave with Apache Shindig caused problems => CAS' ticket proxying feature could be a part of the solution again AJAX calls with problems SSO is especially ill-suited for infrastructure services => Apache Solr could not be used to index contents due to session problems Image source: www.mostphotos.comwww.mostphotos.com
Research group “systems integration”12© Prof. Dr. René Peinl Conclusion Many Open Source applications are not well prepared for SSO (even well known ones like Alfresco) Besides SSO, you have to solve the identity management problem (synchronize user data between LDAP and application => IAM) Single sign-out is hard to implement, did only work well with Spring framework Complexity for SSO is rising from intranet, over extranet to (hybrid) cloud Gartner denoted SSO and IAM a "must have" for enterprises of all size and industry already 10 years ago => with open source software it's sadly not reality today, the same applies to Cloud applications in general
Research group “systems integration”13© Prof. Dr. René Peinl Thanks for your attention I'm happy to answer your questions Have a look at our project site: www.dein-weg-in-die-cloud.de
ADFS - Does it Still have a Place? Fitting into the EMS puzzle Frank C. Drewes III 2016 Redmond Summit | Identity.
CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
The FederID project The First Identity Management and Federation Free Software.
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.
WELCOME TO MIDDLEWARE Joseph Amrithraj. Introduction before you dive in What is Three-tier architecture ? 'Three-tier' is a client-server architecture.
WSO2 Identity Server Road Map An Open Source Identity and Entitlement Management Server.
Private KEEP OFF! Private KEEP OFF! Open! What is a cloud? Cloud computing is a model for enabling convenient, on-demand network access to a shared.
Core identity scenarios Deep dive on federation and synchronization 2 3 Identity management overview 1 Additional features 4.
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.
IT can provide users with a common identity across on-premises or cloud- based services, leveraging Windows Server Active Directory and Azure Active.
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
Using Novell iChain ® 2 to Deliver Internal Network Access without a VPN Brian Six Technical Account Manager Novell, Inc.
Agenda AD to Windows Azure AD Sync Options Federation Architecture AD to AAD Quick start By Sachin Shetty.
June 27, Teamcenter™ Security Services SSO Dennon Ison Software Engineer Template # 99-P34884K, Rev E – 3/17/08 © 2008 General.
All Rights Reserved 2014 © CMG Consulting LLC Federated Identity Management and Access Andres Carvallo Dwight Moore CMG Consulting, LLC October
Access Management 2.0: UMA for the #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 1.
Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows
Get identities to the cloud Mix on-premises and cloud identity for improved PC, mobile, and web productivity Cloud identities help you run your business.
Unlocking the Secrets of Alfresco Authentication Mehdi BELMEKKI, Consultancy Team Alfresco.
- NCSU project goals and requirements - Adoption Drivers - Current challenges and pain points - Identacor at NCSU - Identacor Features - NCSU Key Benefits.
Elia Windows 10 journey. Gilles Flisch TMD.Net Manager. Elia & Owner
Migrating Single Sign On to CAS and Shibboleth George Hosler Information Technology 5/29/2013.
BASIC NETWORK CONCEPTS (PART 6). Network Operating Systems NNow that you have a general idea of the network topologies, cable types, and network architectures,
Secure Single Sign-On Across Security Domains
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.
The Cloud Identity Security Leader. © 2012 Ping Identity Corporation Nair the twain shall meet Enterprise Social Mobile.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
| Copyright© 2011 Microsoft Corporation 1 journey to the cloud KOEN VAN TOLHUYZEN TSP OFFICE 365 MICROSOFT CORPORATION.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Office of Information Technology GT Identity and Access Management JA-SIG CAS project (introducing login.gatech.edu) April 29th,
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
Aegis Identity Software, Inc. presents Trends in Identity and Access Management in Higher Education to US Federations June 20, 2012 Janet Yarbrough – Director.
APS (Keystone) Security “dial tone” Doron Grinstein Chief Architect October 2012 | Version 0.2 | Confidential.
ArcGIS Server and Portal for ArcGIS An Introduction to Security Jeff Smith & Derek Law July 21, 2015.
Using RADIUS as a AAA backbone for Windows networks Kostas Kalevras NTUA Network Operations Centre.
Office 365 Migration Challenges Drew St. John 2016 Redmond Summit | Identity Without Boundaries May 24, 2016 Consultant
Prabath Siriwardena, Director of Security, WSO2 Twitter
Single Sign-On in the Danish Educational Sector Per Thorboll Deputy director UNI-C.
Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.
SharePoint in the Education Space Presented by: Daniel Petersen Director of Business Solutions Applied Tech.
Central Authentication Service Roadmap JA-SIG Winter 2004.
EMS in action Hugh Simpson-Wells and Mark Riley 2016 Redmond Summit | Identity Without Boundaries
Windows Server Active Directory Intranet Managed Access Managed Identities Integrated Business Apps.
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
Www2.computer.org Basic Architecture Leo Wadsworth, Staff Manager April 2008.
#SummitNow Alfresco Authentication and Synchronization Nov 2013 Mark Rogers.
1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney
Slavko Kukrika MVP Connect Windows 10 to the Cloud – Cloud Join.
© 2017 SlidePlayer.com Inc. All rights reserved.