UPortal Authentication Options: Design and Application Shawn Bayern Research programmer, Yale University Author, Web Development with JavaServer Pages.

Slides:

Advertisements

Similar presentations

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.

Advertisements

Welcome to Middleware Joseph Amrithraj

Central Authentication Service Roadmap JA-SIG Winter 2004.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Architecture & Integration: CP v x Platforms: Windows NT sp5(6a)/Solaris 2.8 iWS Client(s) Netscape/IE 4.0+ Java Servlet Engine (Java Servlet API)

Grid Security. Typical Grid Scenario Users Resources.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

UPortal.Cornell Using uPortal to integrate disparate campus systems Jon Atherton, Cornell Information Technologies

UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.

UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.

Teamcenter™ Security Services SSO

1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.

JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.

Authentication via campus single sign-on 2012 VIVO Implementation Fest.

UNIT-V The MVC architecture and Struts Framework.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.

PHASE 3: SYSTEMS DESIGN Chapter 8 System Architecture.

The Central Authentication Service (CAS) Shawn Bayern Research programmer, Yale University Author, JSTL in Action, Web Development with JavaServer Pages.

Central Authentication Service

1 HTML ( Hypertext MarkUP Language ) HTML is the lingua franca for publishing hypertext on the World Wide Web Define tags ….etc Allow to embed other scripting.

11/16/2012ISC329 Isabelle Bichindaritz1 Web Database Application Development.

USCGrid A (Very Quick) Introduction To PubCookie

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

HOW WEB SERVER WORKS? By- PUSHPENDU MONDAL RAJAT CHAUHAN RAHUL YADAV RANJIT MEENA RAHUL TYAGI.

1 Using EMV cards for Single Sign-On 26 th June st European PKI Workshop Andreas Pashalidis and Chris J. Mitchell.

23:48:11Service Oriented Cyberinfrastructure Lab, Grid Portals Fugang Wang April 29

SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.

Secure Credential Manager Claes Nilsson - Sony Ericsson

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

Web Authentication at Iowa Ed Hill Software Developer The University of Iowa.

CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.

A Community of Learning SUNGARD SUMMIT 2007 | sungardsummit.com 1 Extending SSO – CAS in Luminis Presented by: Zachary Tirrell Plymouth State University.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Module 11: Securing a Microsoft ASP.NET Web Application.

Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.

Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.

January 9, 2002 Internet2 WebISO Project RL "Bob" Morgan, University of Washington.

Single Sign-On in the Danish Educational Sector Per Thorboll Deputy director UNI-C.

UMBC’s WebAuth Robert Banz – UMBC

Campus Experience: Pubcookie University of Alabama at Birmingham Academic Computing Zach Garner.

Problems With Centralized Passwords Dartmouth College PKI Lab.

WebISO PanelEducause SAC Implementing Single Sign On Technologies for Campus Portals Panel Nathan Dors, Project Lead Security/Middleware Unit Univ.

© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.

Java Web Server Presented by- Sapna Bansode-03 Nutan Mote-15 Poonam Mote-16.

Rendering Syndicated Library Content in an Institutional Portal: Integrating MyLibrary into uPortal John Fereira: Cornell University Eric Lease Morgan:

Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()

Introducing the Central Authentication Service (CAS) Shawn Bayern Research programmer, ITS Technology & Planning Author, Web Development with JavaServer.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

The Umbrella Project Authentication The minimum user information possible is stored centrally to avoid Data Protection issues. The Authentication is done.

Secure Connected Infrastructure

Identity and Access Management Challenges in uPortal

CAS and Web Single Sign-on at UConn

Data and Applications Security Developments and Directions

Radius, LDAP, Radius used in Authenticating Users

Server Concepts Dr. Charles W. Kann.

Introduction to Servlets

uPortal Security and CAS

Central Authentication Service

Presentation transcript:

uPortal Authentication Options: Design and Application Shawn Bayern Research programmer, Yale University Author, Web Development with JavaServer Pages JSTL implementation lead (JCP, Apache)

Portal authentication Portals need to authenticate users To provide customized content To restrict portal-accessible resources Portals also need access to third-party resources “as the user” “n-tier” authentication Single sign-on

Aggregating content → Aggregating authentication BeforeAfter

N-tier authentication Portal

uPortal and authentication Three key questions to answer today: How does uPortal authenticate users? Will its support work at your school? What does a sample single sign-on system look like? How can uPortal interface with campus-wide single sign-on?

Question 1 How does uPortal authenticate users in the first place?

uPortal’s pluggable security- context mechanism Authentication support in uPortal manifested through three key interfaces: ISecurityContext Instance of authentication system (“engine”) IPrincipal Context-specific user IOpaqueCredentials Context-specific credential (e.g., password) Kept safe

ISecurityContext Interface representing single-use authentication engine. Key function: Accept IPrincipal Accept IOpaqueCredentials Authenticate user Return true/false (and optionally more)

uPortal’s authentication infrastructure: advantages Flexibility Adapts to nearly any back-end campus authentication solution – e.g., Kerberos (4, 5) LDAP “authentication” Unix password file (small-scale) Server-based authentication (“trust”) Supports “chaining” providers to establish more than one context.

uPortal’s authentication infrastructure: disadvantages Limitations Provides unified authentication “gate,” but no extra portal-specific functionality. No single sign-on. Just a model—does little work itself. But… can be wrenched to cache passwords: NotSoOpaqueCredentials String getCredentials(); (Not particularly secure) IOpaqueCredentials

Password caching: Drawbacks If storing passwords can accomplish single sign- on, why not do so? 1. uPortal instance/server must be trusted. To accept password To store it securely 2. All network links must be secured. 3. Each individual channel must be trusted. 4. All web applications must be trusted. 5. Password confers access “forever.” Overall, user loses control of authentication granularity.

Password caching Portal Channel Password- protected service Password- protected service Password- protected service PW PW PW PW PW PW PW PW PW PW PW

Question 2 Given the drawbacks of caching and re-using passwords, what’s a better approach? How can a true “single sign-on” system work on the web?

Web-based single sign-on Why is this problem different from existing single sign- on systems? Limited client support Yale’s model is called CAS (Central Authentication Service). Model based (loosely) on Kerberos. “100% Pure Java” Pluggable back-end Available through JA-SIG Clearinghouse Other models: Liberty, Pubcookie (Washington), MACE WebISO, Passport

CAS in a nutshell Browser Web application Authenticates without sending password Authenticates via password (once) Determines validity of user’s claimed authentication

How CAS actually works Web resource CAS Web browser S C ST ST

Side benefits of CAS Users can be asked to avoid supplying password except to trusted site. Expected URL Known “look and feel” Authentic peer certificate (if anyone cares)

CAS characteristics Requires no service pre-registration Services are not privileged; may only compromise themselves. Supports but does not require cookies Uses but does not require JavaScript Usable by multiple languages, systems (Java, C, JSP tags, ASP, Perl) Free and open-source Implemented using Java servlets

CAS at Yale Used by systems in support of students and staff. Used occasionally by unprivileged students. Mostly Java, Perl. Some ASP. Apache module becoming widely used C implementation of CAS “client” within Apache server Server-wide authentication AuthType CAS → REMOTE_USER

Characteristics of alternative systems Typically require pre-registration Institution determines security requirements of services. May handle more than just authentication Session management ACLs Identification Principal translation May be platform- or server-specific Passport (Windows) Pubcookie (Apache Server) May depend on particular institutional characteristics—e.g., Network topology Service hosting on institutionally managed web servers

Question 3 What is uPortal’s role in a campus-wide single sign-on framework?

CAS and portals Using CAS as an example of campus-wide single sign-on service… How to use single sign-on within portal? Unlike many applications, a portal is not the source of all the information it vends. “n-tier” authentication problem How to avoid several “bad things”? Password caching Excessive trust of portal Modifying legacy systems Balancing objectives

Integration strategies Option 1: insert portal into initial CAS login Portal receives password, then redirects the user to CAS and coerces the browser to re-send the password User ends up with CAS ticket. Portal ends up with CAS ticket too Password caching isn’t precluded, but it’s not necessary either.

Integration strategies Portal Channel “CAS-ified” service “CAS-ified” service “CAS-ified” service CAS TGT Password

Integration strategies Portal’s “CAS client” CAS Web browser S C ST ST Portal’s initial page

Integration strategies Option 2: CAS services can be made aware of uPortal Services simply use CAS, but acknowledge a URL “owned” by uPortal. Advantages: uPortal need not be trusted or especially secure. Drawbacks: services need to be modified and made portal-aware. If you are already allowed to do this, you’re not facing difficult hurdles anyway!

Integration strategies CAS Service Portal Channel Modified “CAS-ified” service CAS sees a single “service.” However, this “service” consists of the portal (more specifically, a channel), and an outside CAS-ified service.

Integration strategies PortalCAS Web browser S C ST ST Back-end service ST

Integration strategies Option 3: use Kerberos 5 (or similar “traditional” single sign-on system) for all network services CAS becomes web-based “Kerberos user agent” User authenticates to agent. Agent manages tickets, proxying for the user. Drawback: requires substantial planning, effort, scope

Integration strategies Web resource CAS Web browser C Web resource Web resource Non-web resource K5 realm

CAS future Support application-driven “reauthentication” requirement Instead of more complex system of “security rings” or “application groups”

Summary uPortal has two uses for authentication: Customizing its own presentation. Accessing secure resources Caching passwords is generally a security risk. Models like CAS let you avoid caching passwords.

URLs CAS distribution JA-SIG Clearinghouse Source distribution uPortal integration example (option 1) Design paper License information My address

Q&A Alternative single sign-on systems? CAS implementation questions? uPortal integration ideas? uPortal authentication subsystem questions?