Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.

Slides:



Advertisements
Similar presentations
Distributed Access Control System
Advertisements

Data storage and CMS Raymond Bourges – University of Rennes 1 (coordination) Pascal Aubry – University of Rennes 1 (specification) Thomas Bellembois –
Open-source Single Sign-On with CAS (Central Authentication Service)
Copyright © 2006 ESUP-Portail consortium The ESUP-Portail project (in a few words) Pascal Aubry Consortium ESUP-Portail / University.
ESUP-Portail: a pure WebDAV-based Network attached Storage Pierre Gambarotto Pascal Aubry.
EIONET Training Beginners Zope Course Miruna Bădescu Finsiel Romania Copenhagen, 27 October 2003.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Central Authentication Service (CAS). What is CAS? JA-SIG Central Authentication Service is an enterprise level, open-source, single sign on solution.
Central Authentication Service Roadmap JA-SIG Winter 2004.
METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
MyProxy: A Multi-Purpose Grid Authentication Service
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
Shibboleth at Newcastle Caleb Racey Webteam ISS Shibboleth experiences Program  Background  What shib has enabled  Benefits of shib  How to do shib.
UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.
UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.
Teamcenter™ Security Services SSO
Introduction To Windows NT ® Server And Internet Information Server.
Apache Jakarta Tomcat Suh, Junho. Road Map Tomcat Overview Tomcat Overview History History What is Tomcat? What is Tomcat? Servlet Container.
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.
Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.
Session 11: Security with ASP.NET
Lecture – Single Login NIS and Winbind. NIS Network Information Service (NIS) is the traditional directory service on UNIX platforms Still widely used.
The Central Authentication Service (CAS) Shawn Bayern Research programmer, Yale University Author, JSTL in Action, Web Development with JavaServer Pages.
Central Authentication Service
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
1 Web Server Administration Chapter 1 The Basics of Server and Web Server Administration.
Module 9: Active Directory Domain Services. Overview Describe new features in AD DS List manageability and reliability enhancements in AD DS.
jpasswd A common password change client for Unix and NT Marty Wise Jefferson Lab October, 2000.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
Using AS 10g with EBS What are the Benefits of Integrating AS 10g with Oracle Applications?
September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,
SQL Server Security By Mattias Lind For PASS Security VC.
Web Authentication at Iowa Ed Hill Software Developer The University of Iowa.
authenticated networked guided environment for learning - secure integration of learning environments with digital libraries - Current.
CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
A Community of Learning SUNGARD SUMMIT 2007 | sungardsummit.com 1 Extending SSO – CAS in Luminis Presented by: Zachary Tirrell Plymouth State University.
Module 11: Securing a Microsoft ASP.NET Web Application.
Module 6: Managing Client Access. Overview Implementing Client Access Servers Implementing Client Access Features Implementing Outlook Web Access Introduction.
Apache Web Server Quick and Dirty for AfNOG 2015 (Originally by Joel Jaeggli for AfNOG 2007) ‏
Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.
The HTTP is a standard that all Web browsers and Web servers must speak in order for the Web portion of the Internet to work.
UMBC’s WebAuth Robert Banz – UMBC
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Satisfy Your Technical Curiosity 27, 28 & 29 March 2007 International Convention Center (ICC) Ghent, Belgium.
February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.
Larry Mead TSP - Platform Modernization Microsoft Corporation SESSION CODE: WSV318 John Kelbley Sr. Technical Product Mgr. Microsoft Corporation.
Introducing the Central Authentication Service (CAS) Shawn Bayern Research programmer, ITS Technology & Planning Author, Web Development with JavaServer.
CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
Office of Information Technology GT Identity and Access Management JA-SIG CAS project (introducing login.gatech.edu) April 29th,
Secured Services Best Practices on ArcGIS for Server Patrick Jackson & Thomas Noble.
Secure Connected Infrastructure
Fortinet NSE8 Exam Do You Want To Pass In First Attempt.
CAS and Web Single Sign-on at UConn
Data and Applications Security Developments and Directions
Welcome to the 20th Anniversary of the IUG
Radius, LDAP, Radius used in Authenticating Users
Common Security Mistakes
Security in Web Applications
uPortal Security and CAS
Central Authentication Service
Presentation transcript:

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium

Open-source Single Sign-On with CAS Single Sign-On –Why SSO? –The main principles of web SSO –The choice of CAS CAS (Central Authentication Service) –How does it work? –How to CAS-ify applications Web applications Non-web applications Limits The effort of the ESUP-Portail consortium around CAS

Why Single Sign-On? Unique accounts but several authentications –Each time users access an application Security (password stealing) –Protect password transmission –Do not transmit passwords to applications Simplify applications Delegate developments without delegating authentication Abstract authentication –LDAP, NIS, database, NT, Active Directory, X509 certificates, …

SSO: the users point of view web browser app. #1app. #2app. #3 without SSO service web browser app. #1app. #2app. #3 with SSO service

SSO: principles on the web Authentication is centralized –One (redundant) authentication server Transparent HTTP redirections –From applications to the authentication server (when not authenticated) –From the authentication server to applications (when authenticated) Tokens propagate identities –Cookies, CGI parameters

CAS: why did we choose it? Security –Password is never transmitted to applications –Opaque tickets are used N-tier installations –Without transmitting any password! Portability (client libraries) –Java, Perl, JSP, ASP, PHP, PL/SQL, Apache and PAM modules Permanence –Developed by Yale University –World-wide used (mainly Universities) –Adopted by all the French educational community J2EE platform –Very light code (about 1000 lines) Open source Integrated into uPortal

web browser app. #1app. #2app. #3 with CAS service CAS: why did we choose it? web browser app. #1app. #2app. #3 authentication server without SSO user database service netId password

web browser app. #1app. #2app. #3 with CAS service CAS: why did we choose it? web browser app. #1app. #2app. #3 authentication server without SSO user database service netId password

User authentication CAS server HTTPS web browser

User authentication TGC: Ticket Granting Cookie –Users passport to the CAS server –Private and protected cookie (the only one used by CAS, optional) –Opaque re-playable ticket CAS server netId password HTTPS user database web browser TGC

Accessing an application after authentication web browser CAS server TGC HTTPS application TGC ST ST: Service Ticket –Browsers passport to the CAS client (application) –Opaque and non re-playable ticket –Very limited validity (a few seconds) ID

Accessing an application after authentication CAS server HTTPS TGC ST ID web browser TGC Redirections are transparent to users application ST: Service Ticket –Browsers passport to the CAS client (application) –Opaque and non re-playable ticket –Very limited validity (a few seconds)

Accessing an application without authentication web browser CAS server HTTPS Authentication form application

Accessing an application without authentication web browser CAS server TGC HTTPS ST ID netId password ST TGC No need to be previously authenticated to access an application application

Remarks Once a TGC acquired, authentication is transparent for the access to any CAS-ified application of the workspace Once authenticated by an application, a session should be used between the browser and the application

Authenticating users with CAS CAS authentication left to administrators ESUP-Portail CAS Generic Handler –Mixed authentication –XML configuration LDAP directory databaseNIS domain X509 certificates Kerberos domain Windows NT domain flat files CAS server

Using the ESUP-Portail CAS GH org.esupportail.cas.server.handlers.ldap.FastBindLdapHandler uid=%u,ou=people,dc=esup-portail,dc=org ldap://ldap.esup-portail.org org.esupportail.cas.server.handlers.nis.NisHandler ESUP-PORTAIL pammd5 nismaster.esup-portail.org nisslave.esup-portail.org

CAS-ifying a web application Use provided libraries Add a few lines of code Note: you can also protect static resources –With mod_cas, an Apache module

CAS-ifying a web application An example using phpCAS (ESUP-Portail) Successfull Authentication! User's login:.

N-tier installations PGT: Proxy Granting Ticket –Applications passport for a user to the CAS server –Opaque and re-playable ticket web browser CAS server TGC application (CAS proxy) ST service ID PGT

application (CAS proxy) N-tier installations web browser CAS server TGC ST service PGT PT ID PGT PGT: Proxy Granting Ticket –Applications passport for a user to the CAS server –Opaque and re-playable ticket PT : Proxy Ticket –Applications passport for a user to a tier service –Opaque and non re-playable ticket –Very limited validity PT

CAS-ifying a non web application One of the strongest points of CAS Use the pam_cas PAM module Example of PAM configuration: auth sufficient /lib/security/pam_ldap.so auth sufficient /lib/security/pam_pwdb.so shadow nullok auth required /lib/security/pam_cas.so

pam_cas The pam_cas PAM module Pam_cas authenticates users with a CAS ticket pam_pwdb client application pam_ldap LDAP directory login/password /etc/passwd login/password client application CAS server ticket server application login/ticket

CAS-ifying an IMAP server Objectives –Access an IMAP server from a web application that does not know the password of the user connected –Let traditional mail clients authenticate normally (with a password) –Do not modify the IMAP server The solution: pam_cas :-)

pam_cas CAS-ifying an IMAP server pam_pwdb traditional mail client pam_ldap LDAP directory login / password /etc/passwd login / password CAS-ified webmail (CAS proxy) login / PT CAS server PT web browser ST IMAP server

pam_cas pam_pwdb pam_ldap CAS-ifying Cyrus IMAPd traditional mail client LDAP directory login / password /etc/passwd CAS-ified webmail (CAS proxy) CAS server PT web browser ST sasl Cyrus imapd login / PT

pam_cas pam_pwdb pam_ldap sasl CAS-ifying Cyrus IMAPd traditional mail client Cyrus imapd LDAP directory login / password /etc/passwd CAS-ified webmail (CAS proxy) login / PT CAS server PT web browser ST sasl_authd cache Unix socket Cyrus IMAP daemon sasl_authd daemon Cache efficiency: 95%

Limits (and perspectives) CAS deals with authentication, not authorization –Mixing CAS and Shibboleth? No redundancy –No native load-balancing (but low load) –No fault-tolerance(but very good reliability) No Single Sign-Off A very poor documentation

The effort of the ESUP-Portail consortium Writing documentation Adding libraries (phpCAS, esup-mod_cas, esup-pam_cas) Adding features to the CAS server –Authentication handlers (LDAP, NIS, files, databases, NT domains, …) –Mixed authentication –Authentication debug mode –Rendering customization (appearance, internationalization) –CAS quick start (Jakarta Tomcat + Yale CAS server + CAS GH) Supporting the French CAS community –Through forums and mailing lists

Enjoy CAS!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.