Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission.

Slides:



Advertisements
Similar presentations
Open-source Single Sign-On with CAS (Central Authentication Service)
Advertisements

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.
Central Authentication Service (CAS). What is CAS? JA-SIG Central Authentication Service is an enterprise level, open-source, single sign on solution.
Central Authentication Service Roadmap JA-SIG Winter 2004.
WebISO PanelEducause SAC Implementing Single Sign On Technologies for Campus Portals Panel Nathan Dors, Project Lead Security/Middleware Unit Univ.
FI-WARE Testbed Access Control temporary solution.
Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.
Copyright Dave Steiner and Jeremy Rosenberg This work is the intellectual property of the authors. Permission is granted for this material to be.
EDUCAUSE Security Professionals Conference 2007 Monkey-in-the-Middle Attacks on Campus Networks Andrew J. KortySean KrulewitchIndiana University April.
Introducing JA-SIG Central Authentication Service 3.0 Scott Battaglia Rutgers, the State University of New Jersey.
XML Import & Export for uP 2 Using Cernunnos Andrew Petro & Drew Wills April 2007 uPortal Dev Meeting Johns Hopkins University © Copyright Unicon, Inc.,
What’s New in JA-SIG CAS? JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.
UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.
Portal Anthony Colebourne Internet Services January 2006.
UPortal Authentication Options: Design and Application Shawn Bayern Research programmer, Yale University Author, Web Development with JavaServer Pages.
UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.
The Homegrown Single Sign On (SSO) Project at UM – St. Louis.
JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.
Identity Management: The Legacy and Real Solutions Project Overview.
Web Portal Development with uPortal or.Net Midwest Educause: March 24-26, 2003 David B. Williams Mark Troester
University of California, Irvine Security Access Management at UC Irvine: Adding Decentralization and Ending Paper Mark Askren, Assistant Vice Chancellor.
Moving Your Paperwork Online Western Washington University E-Sign Web Forms Copyright Western Washington University, This work is the intellectual.
Darrel S. Huish Katherine J. Ranes Arizona State University Lessons Learned During the First Year of myASU, a Large Institution Portal Copyright Darrel.
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
Baylor University and Xythos EduCause Southwest 2007 Dr. Sandra Bennett Program Manager Online Teaching and Learning System Copyright Sandra Bennett 2007.
The Central Authentication Service (CAS) Shawn Bayern Research programmer, Yale University Author, JSTL in Action, Web Development with JavaServer Pages.
Central Authentication Service
Zeroth Click Andrew Petro JA-SIG Atlanta, December 4, 2006 © Copyright Unicon, Inc., This work is the intellectual property of Unicon, Inc. Permission.
Pan European Portal Conference 2003, Geneva April 25, 2003 Elements of Successful uPortal Implementations Implementing uPortal to Guarantee Performance.
Web Authentication at Iowa Ed Hill Software Developer The University of Iowa.
Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.
CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
Security Access Management at UCI – Slaying the Paper Forms Dragon Mark Askren, Assistant Vice Chancellor Valerie Jones, Project Lead Jennifer Lane, Help.
UPortal Import/Export Drew Wills JA-SIG Winter Unconference, November 12, 2007 © Copyright Unicon, Inc., This work is the intellectual property of.
A Community of Learning SUNGARD SUMMIT 2007 | sungardsummit.com 1 Extending SSO – CAS in Luminis Presented by: Zachary Tirrell Plymouth State University.
UPortal Open Source Portal for Higher Education Or My 16-year-old is coming to your institution… are you ready?
Implementing Kuali Identity Management at your Institution Jasig Spring 2010 Wednesday, March 10, am.
Access Management 2.0: UMA for the #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 1.
11/14/00Copyright © Yale University1 uPortal: A Java Based Portal Framework A Project of JA-SIG ( Presented by: Susan Bramhall,
Portals and Web Standards Lessons Learned and Applied David Cook Copyright The University of Texas at Austin This work is the.
February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.
Web Services Security Patterns Alex Mackman CM Group Ltd
Highlights Andrew Petro JA-SIG Atlanta, December 4, 2006 © Copyright Unicon, Inc., This work is the intellectual property of Unicon, Inc. Permission.
Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.
Jasig CAS Roadmap Scott Battaglia Rutgers, the State University of New Jersey.
15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.
WebISO, Single Sign-On & Authorization General Overview Shelley Henderson Project Manager, Grid Software USC Information Services Copyright.
NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.
Introducing the Central Authentication Service (CAS) Shawn Bayern Research programmer, ITS Technology & Planning Author, Web Development with JavaServer.
Shibbolizing uPortal and a Path for Delegated Authentication with Shibboleth Tom Barton, Scott Cantor, and Andrew Petro The Ohio State University, University.
Shibbolizing uPortal and a Path for Delegated Authentication with Shibboleth Tom Barton, Scott Cantor, and Andrew Petro The Ohio State University, University.
ClearPass A CAS Extension Enabling Credential Replay Andrew Petro Unicon, Inc. Jasig 2010 San Diego, CA 09 March 2010 © Copyright Unicon, Inc.,
University of Southern California Identity and Access Management (IAM)
Ask the Experts – Building Login-Based Sites in AEM
Federated Identity Management at Virginia Tech
Julian Hooker Assistant Managing Director Educause Southwest
Identity and Access Management Challenges in uPortal
CAS and Web Single Sign-on at UConn
Data and Applications Security Developments and Directions
John O’Keefe Director of Academic Technology & Network Services
University of Southern California Identity and Access Management (IAM)
Project for OnLine Instructional Support (POLIS)
uPortal Security and CAS
Open Source Web Initial Sign-On Packages
myIS.neu.edu – presentation screen shots accompany:
Central Authentication Service
Presentation transcript:

Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., This work is the intellectual property of Unicon, Inc. Permission is granted for this material to be shared for non-commercial purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of Unicon, Inc. To disseminate otherwise or to republish requires written permission from Unicon, Inc. Some slides drawn from prior presentations at JA-SIG conferences. Adam Rybicki Unicon, Inc. Arlington, Virginia, May 5, 2008 Scott Battaglia Rutgers University

Hi. I’m Adam. V.P. of Technology at Unicon, Inc. Previously CTO at Interactive Business Solutions, Inc. (IBS)

Hi. I’m Scott. Application Rutgers Committer to various open source projects

What is JA-SIG? Java Architectures Special Interest Group Founded in 1999 to foster collaboration among HE institutions and companies around Java applications for the enterprise Regular conferences Membership-funded Open source projects –uPortal Initially funded by an Andrew W. Mellon Foundation Named in 2003 in InfoWorld’s top 100 IT projects 2007 Educause Catalyst award winner –CAS Initially developed in 1999 at Yale University Became a JA-SIG project in 2004

What is CAS? CAS is enterprise single-sign-on for the web. –Free –Open source –Server implemented in Java –Clients implemented in a plethora of languages –

Some of the people involved as the project has evolved Shawn Bayern Susan Bramhall Marc-Antoine Garrigue Howard Gilbert Dmitriy Kopylenko Arnaud Lesueur Drew Mazurek Andrew Petro Jan Van der Velpen (Velpi)

Many CAS deployers Appian Corporation Athabasca University Azusa Pacific University BCcampus California Polytechnic Institute California State University, Chico Campus Crusade for Christ Case Western Reserve University Columbia Employers Direct GET-INT Hong Kong University of Science and Technology Indiana Karlstad University, Sweden La Voz de Galicia, Spain Memorial University of Newfoundland Nagoya University NHMCCD Northern Arizona University Plymouth State University (used with SunGardHE Luminis) Roskilde University Rutgers, The State University of New Jersey SunGard HE Luminis Simon Fraser University (Vancouver, B.C.)Simon Fraser University Suffield Academy Tollpost Globe AS

… and more Universita degli Studi di Parma Universite de Bourgogne - France Universite de La Rochelle, France Universite de Pau et des Pays de l'Adour, France University of Nancy 1, France Universite Nancy 2, France Universite Pantheon Sorbonne Universiteit van Amsterdam University of Bristol, England University of California Merced University of California, Riverside University of Crete, Greece University of Delaware University of Geneva University of Hawaii University of New Mexico University of Rennes1 University of Technology, Sydney Uppsala University Valtech Virginia Tech Yale University And likely more not well- enumerated…

CAS and Commercial CAS is embedded in at least two commercial products CAS support is baked into at least one hardware platform (a wireless Internet vending appliance) Commercial entities use CAS as their SSO

Multi-sign-on for the Web

At least with one username/password? LDAP

All applications touch passwords LDAP

Any compromise leaks primary credentials LDAP

Adversary then can run wild LDAP

What to do about this? What if there were only one login form, only one application trusted to touch primary credentials?

Delete your login forms.

CAS in a nutshell Browser Web application Authenticates without sending password Authenticates via password (once) Determines validity of user’s claimed authentication

How CAS works Web application CAS Web browser S TGC ST S NetID

LDAP Webapps no longer touch passwords CAS

LDAP Adversary compromises only single apps CAS

What about portals? Need to go get interesting content from different systems.

Password replay Portal Channel Password- protected service Password- protected service Password- protected service PW PW PW PW PW PW PW PW PW PW PW

Look ma, no password! Without a password to replay, how am I going to authenticate my portal to other applications?

CAS 2.0: Proxy CAS Web application CAS Web browser S TGC ST S NetID PGTURL PGTIOU PGT https listener

CAS 2.0: Proxy CAS Web application CAS Web browser Back-end application SPGT PT S NetID PGTURL Data

Proxiable credentials illustrated IMP CAS SST IMAP server CAS PAM module PGT PT -Username -Identity of web resource

Provided authentication handlers LDAP –Fast bind –Search and bind Active Directory –LDAP –Kerberos (JAAS) JAAS JDBC RADIUS SPNEGO Trusted X.509 certificates Writing a custom authentication handler is easy

Today CAS is not only for authentication Return attributes of logged on users Adding support for standards –OpenID –SAML Single Sign-Out Support for clustering –Implements distributed ticket registry –Requires session replication –Must guarantee cross-server ticket uniqueness Services management (white listing) Remember me

Short Term Goals RESTful API Service Registration Page Service Priority InfoCard Support LDAP implementation of Service Registry Auditing, Logging etc. More Internationalization Bug Fixes, etc.!

Long Term Goals Re-architecture to support emerging use cases –Account Management integration –Password Expiration Policies/Password Change Integration –SAML, OAuth, OpenID2, etc. –Levels of Assurance / Multifactor authentication / second- level Better online/realtime administration –Installer/configurer –Information about CAS server (open SSO sessions, etc.) Hardening/Anti-phishing

Adam Rybicki Questions? Scott Battaglia eas.rutgers.edu