We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byCameron Mossop
Modified about 1 year ago
Approaches and challenges for a SSO enabled extranet using Jasig CAS Florian Holzschuher René Peinl
Research group “systems integration”2© Prof. Dr. René Peinl iisys - Institut für Informationssysteme Analytical Information Systems Jörg Scheidt Multimedia Information Systems Richard Göbel Information Management Thomas Schaller Systems Integration René Peinl Managing Director Claus Atzenbeck Research Application Mission: „The institute is a competence centre for the application of information systems in companies. It is the bridge between international research and development and actual application in companies.“
Research group “systems integration”3© Prof. Dr. René Peinl Agenda Environment for Open Source SSO SSO scenarios -Intranet, Extranet, Cloud SSO protocols -Kerberos, SAML, OAuth, … SSO solutions -Shibboleth, CAS, JOSSO, … SSO experiences with CAS Conclusion
Research group “systems integration”4© Prof. Dr. René Peinl Environment for Open Source SSO Desktop -Windows still market leader with ~ 90% share Mobile -Chrome for Android similar capabilities like Desktop Chrome Server -Microsoft Active Directory is prevalent even in OSS environments SSO for all Microsoft products out of the box (NTLM, Kerberos) -OSS server-side applications mostly only with LDAP -SSO solution for OSS applications is needed
Research group “systems integration”5© Prof. Dr. René Peinl SSO scenarios Intranet -Everything under control, can be a homogenous landscape Extranet -Reverse Proxy, two URLs, firewalls, less control over clients Cloud SaaS, esp. hybrid cloud -Maybe without reverse proxy, instead load balancing, caching, geo replication -Upload of user accounts -SSO solution should be integrated with usage monitoring
Research group “systems integration”6© Prof. Dr. René Peinl SSO protocols Windows environments -NTLM -Kerberos Web Service environments -SAML -XACML Web 2.0 environments -OpenID -OAuth -OpenID connect
Research group “systems integration”7© Prof. Dr. René Peinl Open Source SSO solutions Shibboleth -Internet 2 consortium, federated scenarios, Web Services, SAML Jasig CAS (Central Authentication Service) -Uses own SSO protocol, but supports standards as well Atricore JOSSO -Java-based, but with.NET and PHP support, graphical SSO definition Forgerock OpenAM -Successor of the Sun Identity Manager WSO2 Identity Server -Plays nicely together with the remaining WSO2 infrastructure
Research group “systems integration”8© Prof. Dr. René Peinl Comparison of Open Source SSO Jasig CAS Atricore JOSSO WSO2 Id Server Forgerock Open AM Latest version3.5.2 ( ) ( ) ( ) ( ) LicenseJasigs own open source license LGPLAPL v2CDDL 1.0 ProtocolsCAS, OAuth, OpenID, SAML, Kerberos SAML, NTLMOAuth, OpenID, XACML, SAML, … (18+), OAuth, SAML, Kerberos Authentication backends JAAS, LDAP, AD, Radius, JDBC, X.509, Negotiate (Kerberos) JAAS, LDAP JDBC, two factor auth with WiKID, X.509 LDAP, AD, JDBC, Cassandra LDAP, AD, two- factor auth with HOTP, Negotiate (Kerberos) RuntimesTomcat or other Servlet 2.4 container JBoss, Tomcat, Websphere, Geronimo, Jetty WSO2 Carbon server Tomcat, JBoss AgentsSpring, MS IIS, JEE, Apache 2.2, PHP, PAM Apache 2.2, PHP 4+, MS IIS, Liferay, Alfresco, phpBB, Spring, Coldfusion None foundApache 2.4, MS IIS, Sun Web Srv, JBoss, Glassfish, Tomcat, Web Logic Websphere,
Research group “systems integration”9© Prof. Dr. René Peinl Test scenario
Research group “systems integration”10© Prof. Dr. René Peinl Experiences with CAS in an extranet Single sign-on is working relatively well, single sign-out does not AJP solves most reverse proxy problems, but not all. Especially AJAX calls cause trouble Authentication on the reverse proxy instead of the application doesn't make a notable difference Local administrative accounts have to be prepared for SSO Fallback solution with an option to opt-out of SSO and use a manual local login would be desirable image source:
Research group “systems integration”11© Prof. Dr. René Peinl Experiences with CAS in an extranet #2 Inclusion of Apache Rave with Apache Shindig caused problems => CAS' ticket proxying feature could be a part of the solution again AJAX calls with problems SSO is especially ill-suited for infrastructure services => Apache Solr could not be used to index contents due to session problems Image source:
Research group “systems integration”12© Prof. Dr. René Peinl Conclusion Many Open Source applications are not well prepared for SSO (even well known ones like Alfresco) Besides SSO, you have to solve the identity management problem (synchronize user data between LDAP and application => IAM) Single sign-out is hard to implement, did only work well with Spring framework Complexity for SSO is rising from intranet, over extranet to (hybrid) cloud Gartner denoted SSO and IAM a "must have" for enterprises of all size and industry already 10 years ago => with open source software it's sadly not reality today, the same applies to Cloud applications in general
with open source software it's sadly not reality today, the same applies to Cloud applications in general">
Research group “systems integration”13© Prof. Dr. René Peinl Thanks for your attention I'm happy to answer your questions Have a look at our project site:
A Federated Single Sign-On architecture with multi factor authentication A high level yet somewhat technical presentation.
Directory Infrastructure Roadmap Overcoming Fragmented Identities - Roadmap to a Reliable Directory Infrastructure Thorsten Butschke & Dr. Martin Dehn.
Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © – ESUP-Portail.
What happened to IPv5? and other oft asked IPv6 questions The Internet Society, IPv6 and You Susan Estrada.
Internet Protocol Security (IP Sec). Securing Intranets and Extranets at all levels.
Active Directory Federation Services How does it really work? John Craddock
Regnet Specification : Technical point of view REGNET.
Spotlight On Active Directory Interoperability Kim Saunders Director, Interoperability Programs Andreas Luther Group Program Management, Microsoft Identity.
Project Moonshot February Background Project Moonshot 2.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Services and Identity Management Prof. Sasu Tarkoma.
Genesis II Open Source, OGSA Implementation Genesis II: Easy-to-use, Standards Based Grid Middleware Andrew Grimshaw Genesis II Team University of Virginia.
How well REALLY move to the cloud – the coming alignment between hosters and cloud platform providers Dave Wright.
Windows 2008 Active Directory Configuration – Week 4 of 6 Microsoft Test: Mark McCoy MCSE, CNE, CISSP.
The following 10 questions test your knowledge of Internet-based client management in Configuration Manager Configuration Manager 2007 Internet-Based.
Field TDM Deck Optimize and Secure Your Core Infrastructure for Midsize Businesses.
RMS and Scheduling for Future Generation Grids Ramin Yahyapour University Dortmund Leader CoreGRID Institute on Resource Management and Scheduling CoreGRID.
Copyright line. Configuring Server Roles in Windows 2008 Exam Objectives New Roles in 2008 New Roles in 2008 Read-Only Domain Controllers (RODCs) Read-Only.
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.
Usage Statistics in Context: related standards and tools Oliver Pesch Chief Strategist, E-Resources EBSCO Information Services Usage Statistics and Publishers:
Office 365 for education Customer Deck. | Copyright© 2010 Microsoft Corporation MEET STUDENT AND EDUCATOR NEEDS LEARNING FROM ANYWHERE LOWER COSTS ENTERPRISE.
Longhorn Academy Server Management Dave & Sebastian.
Computer networks Fundamentals of Information Technology Session 6.
Stop the Silos: The road to federated RTC Presented by Robin Raymond Chief Architect, Hookflash / OpenPeer.org.
Network Systems Sales LLC Value-Added Reseller Started in 2006 Focus: Offer deliverable, supported software and hardware-based technologies to solve business.
Microsoft Active Directory An Overview. What is Active Directory? Microsofts new Directory Service Microsofts new Directory Service Called: ADS, NTDS.
Windows 2008 Active Directory Configuration – Week 3 of 6 Microsoft Test: Mark McCoy MCSE, CNE, CISSP.
Canada Centre for Remote Sensing - ESS Distributed Access Control System Brian McLeod Canada Centre for Remote Sensing.
Anders Vinger, University of Oslo Personal Data Recovery The pain of laptops.
© 2016 SlidePlayer.com Inc. All rights reserved.