Download presentation
Presentation is loading. Please wait.
Published byMacy Loving Modified over 10 years ago
1
Central Authentication Service Roadmap JA-SIG Winter 2004
2
A new CAS Presentation What is CAS? (Enterprise Single Sign On) What is CAS? (Enterprise Single Sign On) Whats new with CAS? (new CAS Java Client) Whats new with CAS? (new CAS Java Client) Whats using CAS? (Acegi) Whats using CAS? (Acegi) Where is CAS going? (Roadmap) Where is CAS going? (Roadmap) Resources? Resources?
3
What is CAS? Enterprise Web Single-sign-on Enterprise Web Single-sign-on Your users authenticate to CAS Your users authenticate to CAS Only CAS sees user passwords Only CAS sees user passwords Your applications receive assurance of authentication from CAS Your applications receive assurance of authentication from CAS
4
CAS as Trusted CAS is the Trusted Intermediary CAS is the Trusted Intermediary
5
The Bad Old Days
6
Log in to each application Application AApplication B Application C Application D Application EApplication F
7
Examples Were going to walk through two examples demonstrating CASs features. Were going to walk through two examples demonstrating CASs features.
8
Example: Network registration Welcome to Our University Network Registration. First, you need to log in:
9
CAS Login
10
CAS redirects back to application Places ticket=ABCDEFG123 on the request Places ticket=ABCDEFG123 on the request
11
Application receives ticket Validates ticket with CAS server Validates ticket with CAS server awp9 awp9 </cas:serviceResponse>
12
Okay, user is authenticated Notice: The user didnt give her password to the application itself. Notice: The user didnt give her password to the application itself.
13
CAS Vocabulary Ticket – its longish random String. Ticket – its longish random String. Ticket Granting Ticket / Ticket Granting Cookie – a CAS session identifier Ticket Granting Ticket / Ticket Granting Cookie – a CAS session identifier Service Ticket Service Ticket Proxy Granting Ticket Proxy Granting Ticket Proxy Ticket Proxy Ticket
14
Example 2: uPortal & SSO Great, weve authenticated. Now lets visit our uPortal: Great, weve authenticated. Now lets visit our uPortal:
15
CAS does not display Reads the secure cookie from the browser session. Reads the secure cookie from the browser session. Single sign on. Single sign on. Redirects back to uPortal with the ticket. Redirects back to uPortal with the ticket.
16
uPortal validates the ticket And requests a Proxy Granting Ticket. And requests a Proxy Granting Ticket.
17
Authenticated to uPortal
18
Proxying to get my mail uPortal uses PGT to get PT for mail XML service, requests mail XML service uPortal uses PGT to get PT for mail XML service, requests mail XML service Mail XML service receives PT, validates it, and gets a PGT. Mail XML service receives PT, validates it, and gets a PGT. Mail XML service gets PT for IMAP server, presents to IMAP server. Mail XML service gets PT for IMAP server, presents to IMAP server. IMAP server delegates to PAM_CAS to validate the PT. IMAP server delegates to PAM_CAS to validate the PT.
19
The result
20
Recent Email Channel Email Servlet uPortal IMAP Server XML CAS PGT PT NetID IMAP session S PT NetID ProxyIDs
21
What is CAS? CAS is web SSO. CAS is web SSO. CAS is a concrete (Java Servlets) implementation. CAS is a concrete (Java Servlets) implementation. CAS is a constellation of client libraries, including PAM, Apache modules, Java.jars, php, perl, … CAS is a constellation of client libraries, including PAM, Apache modules, Java.jars, php, perl, …
22
Whats new? CAS Java Client Version 2.1.0 Version 2.1.0
23
CASFilter CAS Java Servlet Filter CAS Java Servlet Filter Renew and Gateway features Renew and Gateway features Optionally set the remoteUser Optionally set the remoteUser Allows multiple authorized proxies Allows multiple authorized proxies
24
CASReceipt CASReceipt represents results from CAS authentication CASReceipt represents results from CAS authentication Exposed in the session by CASFilter Exposed in the session by CASFilter
25
Filter Composition Subsequent filters can examine the results of CAS authentication: Subsequent filters can examine the results of CAS authentication: ProxyChainScrutinizerFilter ProxyChainScrutinizerFilter
26
Commons logging CAS Java Client 2.1.x CAS Java Client 2.1.x
27
uPortal: YaleCASFilteredContext Use CASValidateFilter to accomplish the actual ticket validation – YaleCASFilteredContext just consumes the CASReceipt. Use CASValidateFilter to accomplish the actual ticket validation – YaleCASFilteredContext just consumes the CASReceipt.
28
The approach CASFilter Additional filtering Your application
29
Whats new: Acegi
30
Acegi is an authentication/authorization framework that works well with Spring Acegi is an authentication/authorization framework that works well with Spring It supports CAS for enterprise single sign on It supports CAS for enterprise single sign on A layer of abstraction beyond the CAS Java Client. A layer of abstraction beyond the CAS Java Client.
31
Roadmap Where is CAS going? Where is CAS going? Formalization of CAS protocol Formalization of CAS protocol SAML as the language for CAS requests and responses SAML as the language for CAS requests and responses Interface-rich, more pluggable server implementation Interface-rich, more pluggable server implementation
32
Formalization of CAS protocol Before CAS can be re-implemented, we need a formal specification of exactly what protocol it implemented the first time. Before CAS can be re-implemented, we need a formal specification of exactly what protocol it implemented the first time.
33
SAML CAS 2.0 uses ad-hoc XML. This was simple, worked well. CAS 2.0 uses ad-hoc XML. This was simple, worked well. CAS 3.0 will additionally support SAML. More complex, but more standards compliant. CAS 3.0 will additionally support SAML. More complex, but more standards compliant. CAS as the authentication piece in a Shibboleth installation. CAS as the authentication piece in a Shibboleth installation.
34
Assertions CAS SAML assertions of who logged in how when CAS SAML assertions of who logged in how when Attribute assertions Attribute assertions PGTs are attributes? PGTs are attributes? Details not yet fully defined Details not yet fully defined
35
Attribute assertions Common use case: now that youve authenticated your user, you want some attributes Common use case: now that youve authenticated your user, you want some attributes SAML language allows us to assert attributes other than the user name at ticket validation SAML language allows us to assert attributes other than the user name at ticket validation
36
SSL callback and client certs CAS uses an https: callback to authenticate the service CAS uses an https: callback to authenticate the service Signed SAML requests provide us an alternative Signed SAML requests provide us an alternative
37
Interface-rich, more pluggable Old model: you download CAS and then hack away at it to make it meet your needs. Old model: you download CAS and then hack away at it to make it meet your needs. New model: you plug in local changes at well-defined extension points New model: you plug in local changes at well-defined extension points
38
Load Balancing CAS Why not to do this Why not to do this Default: ticket store backed by in-memory cache Default: ticket store backed by in-memory cache Possible: ticket store backed by RDBMS Possible: ticket store backed by RDBMS Possible: ticket store backed by [pick your favorite cache implementation] Possible: ticket store backed by [pick your favorite cache implementation]
39
Whitelisting services Why not to do this Why not to do this Possible: impose whitelist at ticket validation layer Possible: impose whitelist at ticket validation layer
40
Authentication itself CAS PasswordHandlers CAS PasswordHandlers CasGenericHandler – more ad-hoc XML confguration CasGenericHandler – more ad-hoc XML confguration Instead wire together using Spring Instead wire together using Spring
41
Single Sign Out Why not to do this Why not to do this But if were going to do this, lets at least make it easier to maintain the local mod But if were going to do this, lets at least make it easier to maintain the local mod Or maybe an optional aspect of the protocol – standardize without requiring Or maybe an optional aspect of the protocol – standardize without requiring
42
Extension points? Others? Others?
43
Rutgers and their fine work
44
Resources New CAS documentation (Wiki) New CAS documentation (Wiki) Active mailing list Active mailing list The larger CAS community The larger CAS community
45
Contact information http://www.yale.edu/its/tp/ http://www.yale.edu/its/tp/ http://www.yale.edu/its/tp/ andrew.petro@yale.edu andrew.petro@yale.edu andrew.petro@yale.edu drew.mazurek@yale.edu drew.mazurek@yale.edurew.mazurek@yale.edu cas@tp.its.yale.edu cas@tp.its.yale.edu
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.