Presentation is loading. Please wait.

Presentation is loading. Please wait.

UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June."— Presentation transcript:

1 uPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June 21, 2004

2 What’s coming up… CAS overview CAS overview n-tier authentication problem n-tier authentication problem uPortal and CAS integration uPortal and CAS integration CAS channel examples CAS channel examples Questions Questions Discussion Discussion

3 CAS in a nutshell Browser Web application Authenticates without sending password Authenticates via password (once) Determines validity of user’s claimed authentication

4 How CAS Works Web application CAS Web browser S C T ST NetID

5 n-tier authentication problem Portal Channel

6 n-tier authentication problem Portal Channel Password- protected service Password- protected service Password- protected service PW PW PW PW PW PW PW PW PW PW PW Password caching

7 n-tier authentication problem uPortal can authenticate users securely with CAS uPortal can authenticate users securely with CAS But it does not know about users’ primary credentials But it does not know about users’ primary credentials This is a good thing, except uPortal can’t impersonate the user in order to acquire secure data for the user This is a good thing, except uPortal can’t impersonate the user in order to acquire secure data for the user

8 CAS 2.0: Proxy CAS Web application CAS Web browser S C ST ST NetID PGTURL PGTIOU PGT https listener

9 CAS 2.0: Proxy CAS Web application CAS Web browser Back-end application SPGT PT S NetID PGTURL Data

10 CAS Security Provider Uses CAS for primary authentication Uses CAS for primary authentication Uses the CAS ProxyTicketReceptor servlet included with CAS Client distribution Uses the CAS ProxyTicketReceptor servlet included with CAS Client distribution Exposes a public method to channels to get a proxy ticket for a particular service Exposes a public method to channels to get a proxy ticket for a particular service Back-end systems must be configured to accept and validate proxy credentials from uPortal Back-end systems must be configured to accept and validate proxy credentials from uPortal

11 uPortal with CAS Provider CAS T Channel resource PGT IOU PGT PT -Username -Identity of proxy (portal) CAS Security Context Channel getProxyTicket(pgtIou,service) CAS Ticket Receptor Servlet getCasServiceToken PGT PT PGTURL PGT IOU

12 CAS, uPortal, and other applications at Yale Simple service-ticket authentication Simple service-ticket authentication IMP webmail IMP webmail Email Account Configuration Tool Email Account Configuration Tool Single-tier proxy-ticket authentication Single-tier proxy-ticket authentication Meeting Maker Meeting Maker Multi-tier proxy-ticket authentication Multi-tier proxy-ticket authentication Recent Email Channel Recent Email Channel

13 IMP Webmail https://www.mail.yale.edu:8444/horde/imp/redirect_cas.php?url=mailbox.php%3Dview_message%3F97552

14 IMP Webmail

15 1. User clicks on link in Recent Email channel

16 IMP Webmail 1. User clicks on link in Recent Email channel 2. New browser window opens, going to https://www.mail.yale.edu:8444/horde /imp/redirect_cas.php?url=mailbox.php% 3Fview_message%3D97552

17 IMP Webmail 1. User clicks on link in Recent Email channel 2. New browser window opens, going to https://www.mail.yale.edu:8444/horde /imp/redirect_cas.php?url=mailbox.php% 3Fview_message%3D97552 3. IMP stores destination URL/message as session variable, and redirects the browser to CAS

18 IMP Webmail 4. Upon return from CAS, IMP validates CAS service ticket and then shows the requested email message

19 IMP Webmail 4. Upon return from CAS, IMP validates CAS service ticket and then shows the requested email message But how is the user authenticated to the IMAP server? But how is the user authenticated to the IMAP server?

20 IMP Webmail 4. Upon return from CAS, IMP validates CAS service ticket and then shows the requested email message But how is the user authenticated to the IMAP server? But how is the user authenticated to the IMAP server? IMP normally wants to replay cached primary credentials IMP normally wants to replay cached primary credentials

21 IMP Webmail – CAS PAM module IMP CAS ST IMAP server CAS PAM module PGT PT - NetID - IMP’s proxy callback URL (unique ID)

22 Email Account Configuration Tool Configures aspects of Yale email accounts including mail forwarding, filtering, and spam management Configures aspects of Yale email accounts including mail forwarding, filtering, and spam management CASified one year ago CASified one year ago

23 Email Account Configuration Tool Linked in uPortal as: Linked in uPortal as: https://secure.its.yale.edu/cas/login ?service=https://config.mail.yale.edu /account-tool/main

24 Email Account Configuration Tool Linked in uPortal as: Linked in uPortal as: https://secure.its.yale.edu/cas/login ?service=https://config.mail.yale.edu /account-tool/main Simple service ticket-only authentication Simple service ticket-only authentication

25 Email Account Configuration Tool Linked in uPortal as: Linked in uPortal as: https://secure.its.yale.edu/cas/login ?service=https://config.mail.yale.edu /account-tool/main Simple service ticket-only authentication Simple service ticket-only authentication Takes advantage of single sign-on Takes advantage of single sign-on

26 Email Account Configuration Tool https://secure.its.yale.edu/cas/login?service= https://config.mail.yale.edu/account-tool/main

27 Email Account Configuration Tool

28 Meeting Maker

29 Meeting Maker, Inc. provides a Java API to access calendaring data Meeting Maker, Inc. provides a Java API to access calendaring data A Java servlet uses the API to retrieve data and provide an XML feed to the portal A Java servlet uses the API to retrieve data and provide an XML feed to the portal The servlet doesn’t know about the user’s MM password – it uses a master MM server password to access the data The servlet doesn’t know about the user’s MM password – it uses a master MM server password to access the data

30 Meeting Maker Meeting Maker Servlet uPortal Meeting Maker Server XML MM admin PW CAS PT S NetID ProxyID NetID MM data PT PGT S

31 Meeting Maker Channel authentication performed through CAS Java Servlet filter (included in CAS client library) Channel authentication performed through CAS Java Servlet filter (included in CAS client library) uPortal’s CAS proxy callback URL configured in web application’s deployment descriptor: uPortal’s CAS proxy callback URL configured in web application’s deployment descriptor:<init-param> edu.yale.its.tp.cas.client.filter.authorizedProxy edu.yale.its.tp.cas.client.filter.authorizedProxy https://portal.yale.edu/CasProxyServlet https://portal.yale.edu/CasProxyServlet </init-param>

32 Recent Email Channel

33 Displays 10 most recent email messages Displays 10 most recent email messages Multi-tier CAS proxy authentication Multi-tier CAS proxy authentication Same design as Meeting Maker Same design as Meeting Maker servlet pulls data from back-end source, returns as XML servlet pulls data from back-end source, returns as XML Different authentication from MM Different authentication from MM IMAP server accepts CAS proxy tickets and validates them with the CAS PAM module IMAP server accepts CAS proxy tickets and validates them with the CAS PAM module

34 Recent Email Channel Email Servlet uPortal IMAP Server CAS PT PGT S

35 Recent Email Channel Email Servlet uPortal IMAP Server CAS PT NetID ProxyID S PGTURL PGTIOU PGT

36 Recent Email Channel Email Servlet uPortal IMAP Server XML CAS PGT PT NetID IMAP session S PT NetID ProxyIDs

37 Recent Email Channel Can’t use CAS filter because it must obtain proxy tickets to pass to IMAP Can’t use CAS filter because it must obtain proxy tickets to pass to IMAP Uses the CAS ProxyTicketValidator for authentication (included with CAS client library) Uses the CAS ProxyTicketValidator for authentication (included with CAS client library) getProxyTicket() getProxyTicket() Current beta of CAS filter provides support for acquiring proxy tickets Current beta of CAS filter provides support for acquiring proxy tickets

38 Summary Simple CAS authentication Simple CAS authentication n-tier authentication problem n-tier authentication problem CAS’s solution: Proxy CAS CAS’s solution: Proxy CAS uPortal and CAS Security Provider uPortal and CAS Security Provider

39 Summary uPortal, CAS, and other applications uPortal, CAS, and other applications Simple service ticket authentication Simple service ticket authentication IMP Webmail IMP Webmail Email Account Configuration Tool Email Account Configuration Tool Single-layer proxy ticket authentication Single-layer proxy ticket authentication Meeting Maker Meeting Maker Multi-layer proxy ticket authentication Multi-layer proxy ticket authentication Recent Email Channel Recent Email Channel

40 Questions?

41 For more information Drew Mazurek Drew Mazurek CAS Web Site CAS Web Site http://www.yale.edu/tp/cas http://www.yale.edu/tp/cas CAS Mailing List CAS Mailing List cas@tp.its.yale.edu cas@tp.its.yale.edu http://tp.its.yale.edu/mailman/listinfo/cas http://tp.its.yale.edu/mailman/listinfo/cas http://tp.its.yale.edu/mailman/listinfo/cas This presentation This presentation http://www.yale.edu/tp/cas/cas-jasig-2004.ppt http://www.yale.edu/tp/cas/cas-jasig-2004.ppt http://www.yale.edu/tp/cas/cas-jasig-2004.ppt http://www.yale.edu/tp/cas/cas-jasig-2004.htm http://www.yale.edu/tp/cas/cas-jasig-2004.htm http://www.yale.edu/tp/cas/cas-jasig-2004.htm

Download ppt "UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Open-source Single Sign-On with CAS (Central Authentication Service)

Open-source Single Sign-On with CAS (Central Authentication Service)
Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.
Eric J. Oszakiewski MCTS: SharePoint Application Development SharePoint Configuration.

Eric J. Oszakiewski MCTS: SharePoint Application Development SharePoint Configuration.
Central Authentication Service (CAS). What is CAS? JA-SIG Central Authentication Service is an enterprise level, open-source, single sign on solution.

Central Authentication Service (CAS). What is CAS? JA-SIG Central Authentication Service is an enterprise level, open-source, single sign on solution.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Central Authentication Service Roadmap JA-SIG Winter 2004.

Central Authentication Service Roadmap JA-SIG Winter 2004.
JAAS AuthN Tokens in uPortal and Beyond or The JAAS Singer.

JAAS AuthN Tokens in uPortal and Beyond or The JAAS Singer.
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
The Natural way for Secure Mobile Email v.1.4 www.AGATSolutions.com.

The Natural way for Secure Mobile v.1.4
Architecture & Integration: CP v3.1. 3.x Platforms: Windows NT sp5(6a)/Solaris 2.8 iWS Client(s) Netscape/IE 4.0+ Java Servlet Engine (Java Servlet API)

Architecture & Integration: CP v x Platforms: Windows NT sp5(6a)/Solaris 2.8 iWS Client(s) Netscape/IE 4.0+ Java Servlet Engine (Java Servlet API)
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
UPortal: A framework for the Personalization of Library Services John Fereira: Programmer/Analyst Cornell University Mann Library.

UPortal: A framework for the Personalization of Library Services John Fereira: Programmer/Analyst Cornell University Mann Library.
UPortal Authentication Options: Design and Application Shawn Bayern Research programmer, Yale University Author, Web Development with JavaServer Pages.

UPortal Authentication Options: Design and Application Shawn Bayern Research programmer, Yale University Author, Web Development with JavaServer Pages.
UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.

UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.
CUWebAuth Technical Presentation Pete Bosanko Identity Management Team.

CUWebAuth Technical Presentation Pete Bosanko Identity Management Team.
JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.

JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.
Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission.

Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., This work is the intellectual property of Unicon, Inc. Permission.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Similar presentations

Ads by Google