Presentation is loading. Please wait.

Presentation is loading. Please wait.

UPortal Authentication Options: Design and Application Shawn Bayern Research programmer, Yale University Author, Web Development with JavaServer Pages.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "UPortal Authentication Options: Design and Application Shawn Bayern Research programmer, Yale University Author, Web Development with JavaServer Pages."— Presentation transcript:

1 uPortal Authentication Options: Design and Application Shawn Bayern Research programmer, Yale University Author, Web Development with JavaServer Pages JSTL implementation lead (JCP, Apache)

2 Portal authentication Portals need to authenticate users To provide customized content To restrict portal-accessible resources Portals also need access to third-party resources “as the user” “n-tier” authentication Single sign-on

3 Aggregating content → Aggregating authentication BeforeAfter

4 N-tier authentication Portal

5 uPortal and authentication Three key questions to answer today: How does uPortal authenticate users? Will its support work at your school? What does a sample single sign-on system look like? How can uPortal interface with campus-wide single sign-on?

6 Question 1 How does uPortal authenticate users in the first place?

7 uPortal’s pluggable security- context mechanism Authentication support in uPortal manifested through three key interfaces: ISecurityContext Instance of authentication system (“engine”) IPrincipal Context-specific user IOpaqueCredentials Context-specific credential (e.g., password) Kept safe

8 ISecurityContext Interface representing single-use authentication engine. Key function: Accept IPrincipal Accept IOpaqueCredentials Authenticate user Return true/false (and optionally more)

9 uPortal’s authentication infrastructure: advantages Flexibility Adapts to nearly any back-end campus authentication solution – e.g., Kerberos (4, 5) LDAP “authentication” Unix password file (small-scale) Server-based authentication (“trust”) Supports “chaining” providers to establish more than one context.

10 uPortal’s authentication infrastructure: disadvantages Limitations Provides unified authentication “gate,” but no extra portal-specific functionality. No single sign-on. Just a model—does little work itself. But… can be wrenched to cache passwords: NotSoOpaqueCredentials String getCredentials(); (Not particularly secure) IOpaqueCredentials

11 Password caching: Drawbacks If storing passwords can accomplish single sign- on, why not do so? 1. uPortal instance/server must be trusted. To accept password To store it securely 2. All network links must be secured. 3. Each individual channel must be trusted. 4. All web applications must be trusted. 5. Password confers access “forever.” Overall, user loses control of authentication granularity.

12 Password caching Portal Channel Password- protected service Password- protected service Password- protected service PW PW PW PW PW PW PW PW PW PW PW

13 Question 2 Given the drawbacks of caching and re-using passwords, what’s a better approach? How can a true “single sign-on” system work on the web?

14 Web-based single sign-on Why is this problem different from existing single sign- on systems? Limited client support Yale’s model is called CAS (Central Authentication Service). Model based (loosely) on Kerberos. “100% Pure Java” Pluggable back-end Available through JA-SIG Clearinghouse Other models: Liberty, Pubcookie (Washington), MACE WebISO, Passport

15 CAS in a nutshell Browser Web application Authenticates without sending password Authenticates via password (once) Determines validity of user’s claimed authentication

16 How CAS actually works Web resource CAS Web browser S C ST ST

17 Side benefits of CAS Users can be asked to avoid supplying password except to trusted site. Expected URL Known “look and feel” Authentic peer certificate (if anyone cares)

18 CAS characteristics Requires no service pre-registration Services are not privileged; may only compromise themselves. Supports but does not require cookies Uses but does not require JavaScript Usable by multiple languages, systems (Java, C, JSP tags, ASP, Perl) Free and open-source Implemented using Java servlets

19 CAS at Yale Used by systems in support of students and staff. Used occasionally by unprivileged students. Mostly Java, Perl. Some ASP. Apache module becoming widely used C implementation of CAS “client” within Apache server Server-wide authentication AuthType CAS → REMOTE_USER

20 Characteristics of alternative systems Typically require pre-registration Institution determines security requirements of services. May handle more than just authentication Session management ACLs Identification Principal translation May be platform- or server-specific Passport (Windows) Pubcookie (Apache Server) May depend on particular institutional characteristics—e.g., Network topology Service hosting on institutionally managed web servers

21 Question 3 What is uPortal’s role in a campus-wide single sign-on framework?

22 CAS and portals Using CAS as an example of campus-wide single sign-on service… How to use single sign-on within portal? Unlike many applications, a portal is not the source of all the information it vends. “n-tier” authentication problem How to avoid several “bad things”? Password caching Excessive trust of portal Modifying legacy systems Balancing objectives

23 Integration strategies Option 1: insert portal into initial CAS login Portal receives password, then redirects the user to CAS and coerces the browser to re-send the password User ends up with CAS ticket. Portal ends up with CAS ticket too Password caching isn’t precluded, but it’s not necessary either.

24 Integration strategies Portal Channel “CAS-ified” service “CAS-ified” service “CAS-ified” service CAS TGT Password

25 Integration strategies Portal’s “CAS client” CAS Web browser S C ST ST Portal’s initial page

26 Integration strategies Option 2: CAS services can be made aware of uPortal Services simply use CAS, but acknowledge a URL “owned” by uPortal. Advantages: uPortal need not be trusted or especially secure. Drawbacks: services need to be modified and made portal-aware. If you are already allowed to do this, you’re not facing difficult hurdles anyway!

27 Integration strategies CAS Service Portal Channel Modified “CAS-ified” service CAS sees a single “service.” However, this “service” consists of the portal (more specifically, a channel), and an outside CAS-ified service.

28 Integration strategies PortalCAS Web browser S C ST ST Back-end service ST

29 Integration strategies Option 3: use Kerberos 5 (or similar “traditional” single sign-on system) for all network services CAS becomes web-based “Kerberos user agent” User authenticates to agent. Agent manages tickets, proxying for the user. Drawback: requires substantial planning, effort, scope

30 Integration strategies Web resource CAS Web browser C Web resource Web resource Non-web resource K5 realm

31 CAS future Support application-driven “reauthentication” requirement Instead of more complex system of “security rings” or “application groups”

32 Summary uPortal has two uses for authentication: Customizing its own presentation. Accessing secure resources Caching passwords is generally a security risk. Models like CAS let you avoid caching passwords.

33 URLs CAS distribution JA-SIG Clearinghouse http://www.yale.edu/tp/cas/ Source distribution uPortal integration example (option 1) Design paper License information My email address shawn.bayern@yale.edu

34 Q&A Alternative single sign-on systems? CAS implementation questions? uPortal integration ideas? uPortal authentication subsystem questions?

Download ppt "UPortal Authentication Options: Design and Application Shawn Bayern Research programmer, Yale University Author, Web Development with JavaServer Pages."

Similar presentations

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.
Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
Central Authentication Service Roadmap JA-SIG Winter 2004.

Central Authentication Service Roadmap JA-SIG Winter 2004.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Architecture & Integration: CP v3.1. 3.x Platforms: Windows NT sp5(6a)/Solaris 2.8 iWS Client(s) Netscape/IE 4.0+ Java Servlet Engine (Java Servlet API)

Architecture & Integration: CP v x Platforms: Windows NT sp5(6a)/Solaris 2.8 iWS Client(s) Netscape/IE 4.0+ Java Servlet Engine (Java Servlet API)
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
UPortal.Cornell Using uPortal to integrate disparate campus systems Jon Atherton, Cornell Information Technologies

UPortal.Cornell Using uPortal to integrate disparate campus systems Jon Atherton, Cornell Information Technologies
UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.

UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.

UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.
Teamcenter™ Security Services SSO

Teamcenter™ Security Services SSO
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.

1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Similar presentations

Ads by Google