Presentation is loading. Please wait.

Presentation is loading. Please wait.

Open-source Single Sign-On with CAS (Central Authentication Service)

There are copies: 1
Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.

Similar presentations


Presentation on theme: "Open-source Single Sign-On with CAS (Central Authentication Service)"— Presentation transcript:

1 Open-source Single Sign-On with CAS (Central Authentication Service)
it does work! CAS Cette présentation est le fruit du groupe de travail qui traite du Single Sign-On et des autorisations au sein du projet ESUP-Portail (ce groupe associe des développeurs des universités de Nancy 1, Nancy 2, Rennes 1, Toulouse 3 et Valenciennes). Le single Sign-On, dont on a déjà largement parlé au cours de ces JRES (présentation des ENT + Olivier Salaun), a été une des premières préoccupations du projet ESUP-Portail. Il y a environ un an, le projet a évalué les solutions de Single Sign-On existantes dans le monde libre. L’objectif de cette présentation est de vous faire comprendre ce qu’est CAS (comment il marche). Si nous y réussissons, vous comprendrez alors certainement pourquoi CAS a été choisi comme le SSO du projet ESUP-Portail. Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © – ESUP-Portail consortium

2 Open-source Single Sign-On with CAS
Why SSO? The main principles of web SSO The choice of CAS CAS (Central Authentication Service) How does it work? How to CAS-ify applications Web applications Non-web applications Limits The effort of the ESUP-Portail consortium around CAS Perspectives

3 Let’s fight generally accepted ideas!
“Facing the growing number of passwords, Single Sign-On increases the security policy of firms and users’ comfort.” Well, yes, but…

4 Let’s fight generally accepted ideas!
“SSO to federate authentication”

5 Let’s fight generally accepted ideas!
“SSO is a suite of tools that memorizes passwords for users and provide them to applications” No, not at all!

6 Let’s fight generally accepted ideas!
“SSO is generally deployed as a rest, after a centralized user directory and a unique entry point for the IS have been set up. SSO is then a modest project, easily developed in-house.” We must have missed something ;-)

7 Why Single Sign-On? Unique accounts but several authentications
Each time users access an application Security (password stealing) Protect password transmission Do not transmit passwords to applications Simplify applications Delegate developments without delegating authentication Abstract authentication LDAP, NIS, database, NT, Active Directory, X509 certificates, …

8 SSO: the user’s point of view
web browser app. #1 app. #2 app. #3 with SSO service service app. #1 app. #2 app. #3 web browser without SSO

9 SSO: principles on the web
Authentication is centralized One (redundant) authentication server Transparent HTTP redirections From applications to the authentication server (when not authenticated) From the authentication server to applications (when authenticated) Tokens propagate identities Cookies, CGI parameters

10 CAS: why did we choose it?
Security Password is never transmitted to applications Opaque tickets are used N-tier installations Without transmitting any password! Portability (client libraries) Java, Perl, JSP, ASP, PHP, PL/SQL, Apache and PAM modules Permanence Developed by Yale University World-wide used (mainly Universities) Adopted by all the French educational community J2EE platform Very light code (about 1000 lines) Open source Integrated into uPortal

11 CAS: why did we choose it?
user database user database service web browser app. #1 app. #2 app. #3 with CAS service app. #1 app. #2 app. #3 authentication server netId password netId password web browser without SSO

12 CAS: why did we choose it?
user database user database service service app. #1 app. #2 app. #3 app. #1 app. #2 app. #3 authentication server netId password netId password web browser web browser without SSO with CAS

13 User authentication CAS server HTTPS web browser

14 User authentication TGC: Ticket Granting Cookie
user database CAS server TGC netId password HTTPS TGC: Ticket Granting Cookie User’s passport to the CAS server Private and protected cookie (the only one used by CAS, optional) Opaque re-playable ticket web browser TGC

15 Accessing an application after authentication
ST: Service Ticket Browser’s passport to the CAS client (application) Opaque and non re-playable ticket Very limited validity (a few seconds) ID application CAS server ST ST TGC ST HTTPS web browser TGC

16 Accessing an application after authentication
ST: Service Ticket Browser’s passport to the CAS client (application) Opaque and non re-playable ticket Very limited validity (a few seconds) ID application CAS server ST ST TGC ST HTTPS Redirections are transparent to users web browser TGC

17 Accessing an application without authentication
CAS server Authentication form HTTPS web browser

18 Accessing an application without authentication
ID application CAS server ST ST ST TGC netId password HTTPS No need to be previously authenticated to access an application web browser TGC

19 Remarks Once a TGC acquired, authentication is transparent for the access to any CAS-ified application of the workspace Once authenticated by an application, a session should be used between the browser and the application

20 Authenticating users with CAS
CAS authentication left to administrators ESUP-Portail CAS Generic Handler Mixed authentication XML configuration LDAP directory database NIS domain X509 certificates Kerberos domain Windows NT domain flat files CAS server

21 Using the ESUP-Portail CAS GH
<authentication debug="on"> <handler> <classname> org.esupportail.cas.server.handlers.ldap.FastBindLdapHandler </classname> <config> <filter>uid=%u,ou=people,dc=esup-portail,dc=org</filter> <server> <url>ldap://ldap.esup-portail.org</url> </server> </config> </handler> org.esupportail.cas.server.handlers.nis.NisHandler <domain>ESUP-PORTAIL</domain> <encryption>pammd5</encryption> <host>nismaster.esup-portail.org</host> <host>nisslave.esup-portail.org</host> </authentication>

22 CAS-ifying a web application
Use provided libraries Add a few lines of code Note: you can also protect static resources With mod_cas, an Apache module

23 CAS-ifying a web application
An example using phpCAS (ESUP-Portail) <?php // include phpCAS library include_once('CAS/CAS.php'); // declare our script as a CAS client phpCAS::client(CAS_VERSION_2_0,'auth.univ.fr',443,''); // redirect to the CAS server if needed phpCAS::authenticateIfNeeded(); // at this point, the user is authenticated ?> <h1>Successfull Authentication!</h1> <p>User's login: <?php echo phpCAS::getUser(); ?>.</p>

24 N-tier installations PGT: Proxy Granting Ticket
service CAS server ID PGT ST PGT application (CAS proxy) ST PGT: Proxy Granting Ticket Application’s passport for a user to the CAS server Opaque and re-playable ticket web browser TGC

25 N-tier installations PT : Proxy Ticket PGT: Proxy Granting Ticket
service ID PT PT PT : Proxy Ticket Application’s passport for a user to a tier service Opaque and non re-playable ticket Very limited validity CAS server PT PGT PGT application (CAS proxy) ST PGT: Proxy Granting Ticket Application’s passport for a user to the CAS server Opaque and re-playable ticket web browser TGC

26 CAS-ifying a non web application
One of the strongest points of CAS Use the pam_cas PAM module Example of PAM configuration: auth sufficient /lib/security/pam_ldap.so auth sufficient /lib/security/pam_pwdb.so shadow nullok auth required /lib/security/pam_cas.so

27 The pam_cas PAM module Pam_cas authenticates users with a CAS ticket
login/password login/ticket client application client application server application login/password pam_ldap login/password pam_pwdb LDAP directory pam_cas ticket /etc/passwd CAS server Pam_cas authenticates users with a CAS ticket

28 CAS-ifying an IMAP server
Objectives Access an IMAP server from a web application that does not know the password of the user connected Let traditional mail clients authenticate “normally” (with a password) Do not modify the IMAP server The solution: pam_cas :-)

29 CAS-ifying an IMAP server
web browser traditional mail client login / password ST login / PT CAS-ified webmail (CAS proxy) IMAP server login / password pam_ldap login / password pam_pwdb LDAP directory pam_cas PT /etc/passwd CAS server

30 CAS-ifying Cyrus IMAPd
traditional mail client login / password login / PT CAS-ified webmail (CAS proxy) ST web browser Cyrus imapd sasl pam_ldap login / password pam_pwdb PT pam_cas LDAP directory /etc/passwd CAS server

31 CAS-ifying Cyrus IMAPd
traditional mail client login / password login / PT CAS-ified webmail (CAS proxy) ST web browser Cyrus imapd Unix socket Cyrus IMAP daemon sasl_authd daemon Cache efficiency: 95% sasl sasl_authd cache pam_ldap login / password pam_pwdb PT pam_cas LDAP directory /etc/passwd CAS server

32 Limits CAS deals with authentication, not authorization No redundancy
No native load-balancing (but low load) No fault-tolerance (but very good reliability) No Single Sign-Off A very poor documentation

33 The effort of the ESUP-Portail consortium
Writing documentation Adding libraries (phpCAS, esup-mod_cas, esup-pam_cas) Adding features to the CAS server Authentication handlers (LDAP, NIS, files, databases, NT domains, …) Mixed authentication Authentication debug mode Rendering customization (appearance, internationalization) CAS quick start (Jakarta Tomcat + Yale CAS server + CAS GH) Supporting the French CAS community Through forums and mailing lists

34 Now, what to do first (requirements)?
Data organization The Information System should be well-formed Small technical problems, big political issues Data storage A standard way to store users (an Excel sheet is no standard ;-) Competences Web technologies PKI (CRU) Voluntary policy Is security a real concern?

35 So, what next? Add new authentication modes
Make establishments cooperate Propagate user attributes (namely or anonymously) Shibboleth, Liberty Alliance CAS is now a JASIG project Share your experience!

36 Note this! CRU is starting a circle of trust (federation project) among the French educational community Comité Réseau des Universités (http://www.cru.fr) Authenticate at university level Authorize at resource level by relying on propagated attributes Many questions, a few answers only at this time Compare Shibboleth and Liberty Alliance Test existing solutions Study if CAS can be used with Shibboleth, and how Can LASSO implement a WAYF service? Would LASSO replace CAS? A goal Show how it is possible for establishments to cooperate securely

37 Enjoy CAS!


Download ppt "Open-source Single Sign-On with CAS (Central Authentication Service)"

Similar presentations


Ads by Google