Presentation is loading. Please wait.

Presentation is loading. Please wait.

Approaches and challenges for a SSO enabled extranet using Jasig CAS Florian Holzschuher René Peinl10.09.2013.

Published byCameron Mossop Modified over 9 years ago

Similar presentations

Presentation on theme: "Approaches and challenges for a SSO enabled extranet using Jasig CAS Florian Holzschuher René Peinl10.09.2013."— Presentation transcript:

1 Approaches and challenges for a SSO enabled extranet using Jasig CAS Florian Holzschuher René Peinl10.09.2013

2 Research group “systems integration”2© Prof. Dr. René Peinl iisys - Institut für Informationssysteme Analytical Information Systems Jörg Scheidt Multimedia Information Systems Richard Göbel Information Management Thomas Schaller Systems Integration René Peinl Managing Director Claus Atzenbeck Research Application Mission: „The institute is a competence centre for the application of information systems in companies. It is the bridge between international research and development and actual application in companies.“

3 Research group “systems integration”3© Prof. Dr. René Peinl Agenda  Environment for Open Source SSO  SSO scenarios -Intranet, Extranet, Cloud  SSO protocols -Kerberos, SAML, OAuth, …  SSO solutions -Shibboleth, CAS, JOSSO, …  SSO experiences with CAS  Conclusion

4 Research group “systems integration”4© Prof. Dr. René Peinl Environment for Open Source SSO  Desktop -Windows still market leader with ~ 90% share  Mobile -Chrome for Android similar capabilities like Desktop Chrome  Server -Microsoft Active Directory is prevalent even in OSS environments  SSO for all Microsoft products out of the box (NTLM, Kerberos) -OSS server-side applications mostly only with LDAP -SSO solution for OSS applications is needed

5 Research group “systems integration”5© Prof. Dr. René Peinl SSO scenarios  Intranet -Everything under control, can be a homogenous landscape  Extranet -Reverse Proxy, two URLs, firewalls, less control over clients  Cloud SaaS, esp. hybrid cloud -Maybe without reverse proxy, instead load balancing, caching, geo replication -Upload of user accounts -SSO solution should be integrated with usage monitoring

6 Research group “systems integration”6© Prof. Dr. René Peinl SSO protocols  Windows environments -NTLM -Kerberos  Web Service environments -SAML -XACML  Web 2.0 environments -OpenID -OAuth -OpenID connect

7 Research group “systems integration”7© Prof. Dr. René Peinl Open Source SSO solutions  Shibboleth -Internet 2 consortium, federated scenarios, Web Services, SAML  Jasig CAS (Central Authentication Service) -Uses own SSO protocol, but supports standards as well  Atricore JOSSO -Java-based, but with.NET and PHP support, graphical SSO definition  Forgerock OpenAM -Successor of the Sun Identity Manager  WSO2 Identity Server -Plays nicely together with the remaining WSO2 infrastructure

8 Research group “systems integration”8© Prof. Dr. René Peinl Comparison of Open Source SSO Jasig CAS Atricore JOSSO WSO2 Id Server Forgerock Open AM Latest version3.5.2 (22.02.13) 2.3.0 (31.08.12) 4.1.0 (11.02.13) 10.1.0 (20.02.13) LicenseJasigs own open source license LGPLAPL v2CDDL 1.0 ProtocolsCAS, OAuth, OpenID, SAML, Kerberos SAML, NTLMOAuth, OpenID, XACML, SAML, … (18+), OAuth, SAML, Kerberos Authentication backends JAAS, LDAP, AD, Radius, JDBC, X.509, Negotiate (Kerberos) JAAS, LDAP JDBC, two factor auth with WiKID, X.509 LDAP, AD, JDBC, Cassandra LDAP, AD, two- factor auth with HOTP, Negotiate (Kerberos) RuntimesTomcat or other Servlet 2.4 container JBoss, Tomcat, Websphere, Geronimo, Jetty WSO2 Carbon server Tomcat, JBoss AgentsSpring, MS IIS, JEE, Apache 2.2, PHP, PAM Apache 2.2, PHP 4+, MS IIS, Liferay, Alfresco, phpBB, Spring, Coldfusion None foundApache 2.4, MS IIS, Sun Web Srv, JBoss, Glassfish, Tomcat, Web Logic Websphere,

9 Research group “systems integration”9© Prof. Dr. René Peinl Test scenario www.dein-weg-in-die-cloud.de

10 Research group “systems integration”10© Prof. Dr. René Peinl Experiences with CAS in an extranet  Single sign-on is working relatively well, single sign-out does not  AJP solves most reverse proxy problems, but not all. Especially AJAX calls cause trouble  Authentication on the reverse proxy instead of the application doesn't make a notable difference  Local administrative accounts have to be prepared for SSO  Fallback solution with an option to opt-out of SSO and use a manual local login would be desirable image source: www.empowernetwork.com/thorsband/basic-computer-troubleshooting-tips/

11 Research group “systems integration”11© Prof. Dr. René Peinl Experiences with CAS in an extranet #2  Inclusion of Apache Rave with Apache Shindig caused problems => CAS' ticket proxying feature could be a part of the solution again AJAX calls with problems  SSO is especially ill-suited for infrastructure services => Apache Solr could not be used to index contents due to session problems Image source: www.mostphotos.comwww.mostphotos.com

12 Research group “systems integration”12© Prof. Dr. René Peinl Conclusion  Many Open Source applications are not well prepared for SSO (even well known ones like Alfresco)  Besides SSO, you have to solve the identity management problem (synchronize user data between LDAP and application => IAM)  Single sign-out is hard to implement, did only work well with Spring framework  Complexity for SSO is rising from intranet, over extranet to (hybrid) cloud  Gartner denoted SSO and IAM a "must have" for enterprises of all size and industry already 10 years ago => with open source software it's sadly not reality today, the same applies to Cloud applications in general

13 Research group “systems integration”13© Prof. Dr. René Peinl Thanks for your attention I'm happy to answer your questions Have a look at our project site: www.dein-weg-in-die-cloud.de

Download ppt "Approaches and challenges for a SSO enabled extranet using Jasig CAS Florian Holzschuher René Peinl10.09.2013."

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.
Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.

Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
Teamcenter™ Security Services SSO

Teamcenter™ Security Services SSO
Confidential FullArmor Corp. 2015 Platform for SaaS and mobile apps to remotely access, migrate, and sync Active Directory resources with the cloud ADanywhere.

Confidential FullArmor Corp Platform for SaaS and mobile apps to remotely access, migrate, and sync Active Directory resources with the cloud ADanywhere.
IT can provide users with a common identity across on-premises or cloud- based services, leveraging Windows Server Active Directory and Azure Active.

IT can provide users with a common identity across on-premises or cloud- based services, leveraging Windows Server Active Directory and Azure Active.
Aegis Identity Software, Inc. presents Trends in Identity and Access Management in Higher Education to US Federations June 20, 2012 Janet Yarbrough – Director.

Aegis Identity Software, Inc. presents Trends in Identity and Access Management in Higher Education to US Federations June 20, 2012 Janet Yarbrough – Director.
BASIC NETWORK CONCEPTS (PART 6). Network Operating Systems NNow that you have a general idea of the network topologies, cable types, and network architectures,

BASIC NETWORK CONCEPTS (PART 6). Network Operating Systems NNow that you have a general idea of the network topologies, cable types, and network architectures,
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The Cloud Identity Security Leader. © 2012 Ping Identity Corporation Nair the twain shall meet Enterprise Social Mobile.

The Cloud Identity Security Leader. © 2012 Ping Identity Corporation Nair the twain shall meet Enterprise Social Mobile.
Elia Windows 10 journey. TMD.Net Manager. Elia & Owner

Elia Windows 10 journey. TMD.Net Manager. Elia & Owner
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
Identity Management: Past, Present, and Future Wait, the requirements have changed again.

Identity Management: Past, Present, and Future Wait, the requirements have changed again.
Using Novell iChain ® 2 to Deliver Internal Network Access without a VPN Brian Six Technical Account Manager Novell, Inc.

Using Novell iChain ® 2 to Deliver Internal Network Access without a VPN Brian Six Technical Account Manager Novell, Inc.

Similar presentations

Ads by Google