Presentation is loading. Please wait.

Presentation is loading. Please wait.

UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University."— Presentation transcript:

1 uPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University

2 Portal authentication Portals need to authenticate users Portals need to authenticate users –To provide customized content –To restrict portal-accessible resources Portals also need access to third-party resources “as the user” Portals also need access to third-party resources “as the user” –“n-tier” authentication –Single sign-on

3 Aggregating content → Aggregating authentication Before After

4 What we will cover 1. How does uPortal authenticate users in the first place? 2. What is the N-tier authentication problem? 3. How does the Yale’s model, called CAS, (Central Authentication Service) solve the problem?

5 uPortal’s pluggable security- context mechanism Authentication support in uPortal manifested through ISecurityContext: –Key functions:  Accept IPrincipal  Accept IOpaqueCredentials  Authenticate user  Return true/false (and optionally more)

6 uPortal’s authentication infrastructure: advantages Flexibility –Adapts to nearly any back-end campus authentication solution – e.g.,  Kerberos (4, 5)  LDAP “authentication”  Unix password file (small-scale)  Server-based authentication (“trust”) –Supports “chaining” providers to establish more than one context.

7 ChainingSecurityContext Allows for a chain or a tree of providers to be called Allows for a chain or a tree of providers to be called Originally envisioned as acquiring multiple credentials at sign in Originally envisioned as acquiring multiple credentials at sign in For Example: For Example: –A database connection or an LDAP initial context or Kerberos TGT Has not turned out to be the enabling component for single sign on Has not turned out to be the enabling component for single sign on

8 UnionSecurityContext Can sit at the top of the tree of chaining providers and present isAuthenticated status and credentials of first provider in the chain to succeed Can sit at the top of the tree of chaining providers and present isAuthenticated status and credentials of first provider in the chain to succeed Portal property determines whether to continue Portal property determines whether to continue Simple Provider (password) CAS Provider Union Provider

9 N-tier authentication Portal Channel

10 uPortal’s authentication infrastructure: disadvantages Limitations Limitations –Provides unified authentication “gate,” but no extra portal-specific functionality. No single sign-on. –Just a model—does little work itself. –But… can be wrenched to cache passwords: NotSoOpaqueCredentials String getCredentials(); (Not particularly secure) IOpaqueCredentials

11 Caching Security Provider A way to replay passwords by giving channels access to them A way to replay passwords by giving channels access to them Not the best idea Not the best idea –May expose password to insecure use by channels –Participating applications have less security than before –If the portal is compromised users’ primary credentials are compromised

12 Password caching Portal Channel Password- protected service Password- protected service Password- protected service PW PW PW PW PW PW PW PW PW PW PW

13 Given the drawbacks of caching and re-using passwords, what’s a better approach? Given the drawbacks of caching and re-using passwords, what’s a better approach? How can a web based Single Sign on System really work? How can a web based Single Sign on System really work?

14 Web-based single sign-on Why is this problem different from existing single sign-on systems? Why is this problem different from existing single sign-on systems? –Limited client support Yale’s model is called CAS (Central Authentication Service). Model based (loosely) on Kerberos. Yale’s model is called CAS (Central Authentication Service). Model based (loosely) on Kerberos. –“100% Pure Java” –Pluggable back-end –Available through JA-SIG Clearinghouse –Thank you to Shawn Bayern Other models: Liberty, Pubcookie (Washington), MACE WebISO, Passport Other models: Liberty, Pubcookie (Washington), MACE WebISO, Passport

15 CAS in a nutshell Browser Web application Authenticates without sending password Authenticates via password (once) Determines validity of user’s claimed authentication

16 Primary benefits of CAS Works with existing authentication infrastructures, such as Kerberos Works with existing authentication infrastructures, such as Kerberos Can be used by nearly any Web-application development environment (JSP, Servlets, ASP, Perl, mod_perl, PHP, Python, PL/SQL, and so forth) — or as a server-wide Apache module Can be used by nearly any Web-application development environment (JSP, Servlets, ASP, Perl, mod_perl, PHP, Python, PL/SQL, and so forth) — or as a server-wide Apache module Allows "proxy" authentication for Web portals Allows "proxy" authentication for Web portals Lets users authenticate securely to untrusted sites (e.g., student-run sites and third-party vendors) without supplying a password directly Lets users authenticate securely to untrusted sites (e.g., student-run sites and third-party vendors) without supplying a password directly Is portable (written in Java: Servlets, JSP, and JSTL) Is portable (written in Java: Servlets, JSP, and JSTL) Is freely available from Yale (with source code) Is freely available from Yale (with source code)

17 How CAS actually works Web resource CAS Web browser S C ST ST

18 Back to the N-tier problem uPortal can authenticate users securely with CAS. uPortal can authenticate users securely with CAS. But it does not have first-hand knowledge of users’ credentials. But it does not have first-hand knowledge of users’ credentials. This is a good thing... This is a good thing... –Except that uPortal can’t impersonate the user in order to acquire secure data for the user.

19 CAS’s solution: proxiable credentials 1. During validation of ST, an application acquires a proxy-granting ticket (PGT) from CAS 2. When the application needs access to a resource, it uses the PGT to get a proxy ticket (PT) 3. The application sends the PT to a back-end application. 4. The back-end application confirms the PT with CAS, and also gains information about who proxied the authentication.

20 Proxiable credentials illustrated IMP CAS ST IMAP server CAS PAM module PGT PT - -Username - -Identity of web resource

21 CAS Security Provider Uses CAS for primary authentication Uses CAS for primary authentication Use CAS ProxyTicketReceptor servlet to receive PGT to be redeemed later Use CAS ProxyTicketReceptor servlet to receive PGT to be redeemed later Exposes public method to channels to get a Proxy Service Ticket for a particular service Exposes public method to channels to get a Proxy Service Ticket for a particular service Back end system must be configured to validate and accept proxy credentials from uPortal Back end system must be configured to validate and accept proxy credentials from uPortal

22 uPortal with CAS Provider CAS ST Channel resource PGT IOU PGT PT - -Username - -Identity of proxy (portal) CAS Security Context Channel getProxyTicket(pgtIou,service) CAS Ticket Receptor Servlet getCasServiceToken PGT PT

23 Characteristics of CAS’s solution Back-end applications maintain control over their data Back-end applications maintain control over their data –For instance, IMAP server may assert, “The only web- based email application I trust is https://www.mail.yale.edu/” https://www.mail.yale.edu/ –Default: no proxies allowed! User logout or timeout destroys subordinate credentials User logout or timeout destroys subordinate credentials –User must be “present” for proxied authentication to occur.

24 uPortal at Yale A very brief demo demo

25 CAS at Yale Used by systems in support of students and administrators Used by systems in support of students and administrators –Used occasionally by unprivileged students Mostly Java and Perl; some ASP, PHP Mostly Java and Perl; some ASP, PHP Apache module used widely Apache module used widely Proxy authentication: incipient deployment Proxy authentication: incipient deployment –PAM module to be used with email servers –uPortal deployment using proxy to LMS and eMail

26 Finally Some words from others about experience with CAS in uPortal Some words from others about experience with CAS in uPortal Questions? Questions? URL for CAS distribution and uPortal provider: http://www.yale.edu/tp/cas/ URL for CAS distribution and uPortal provider: http://www.yale.edu/tp/cas/http://www.yale.edu/tp/cas/

Download ppt "UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University."

Similar presentations

MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Open-source Single Sign-On with CAS (Central Authentication Service)

Open-source Single Sign-On with CAS (Central Authentication Service)
Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Central Authentication Service (CAS). What is CAS? JA-SIG Central Authentication Service is an enterprise level, open-source, single sign on solution.

Central Authentication Service (CAS). What is CAS? JA-SIG Central Authentication Service is an enterprise level, open-source, single sign on solution.
Central Authentication Service Roadmap JA-SIG Winter 2004.

Central Authentication Service Roadmap JA-SIG Winter 2004.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
METALOGIC s o f t w a r e © Metalogic Software Corporation 2004-2006 DACS Developer Overview DACS – the Distributed Access Control System.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
Understanding WebLogic Security

Understanding WebLogic Security
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.

UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
UPortal Authentication Options: Design and Application Shawn Bayern Research programmer, Yale University Author, Web Development with JavaServer Pages.

UPortal Authentication Options: Design and Application Shawn Bayern Research programmer, Yale University Author, Web Development with JavaServer Pages.

Similar presentations

Ads by Google