1. CUWebAuth Technical Presentation Pete Bosanko Identity Management Team

2. Introduction Apache and IIS Web servers Authentication using Cornell NetID Authorization

3. Introduction (cont.) Website Authentication SideCar WebAuth (CUWebLogin) Proxy (uportal) Website Authorization Permit Server NetID Valid User

4. Introduction (cont.) Apache solaris, aix, linux, mac/os, freebsd, windows, yellowdog Apache module Integrated configuration and logging IIS Windows 2000 & 2003 ISAPI Filter Integrated configuration

5. Getting Started Download CUWebAuth http://identity.cit.cornell.edu Read release notes & documentation Request a srvtab and register your server http://identity.cit.cornell.edu Install CUWebAuth Basic CUWebAuth configuration Configure restricted pages

6. CUWebAuth System

7. CUWebAuth Access Stages Authentication Verify site cookie Try SideCar Possibly redirect to cuweblogin.cit.cornell.edu Authorization Check valid NetID Possibly send message to Permit server to verify Allow or deny access to restricted resource

8. CUWebLogin User goes to protected URL CUWebAuth redirects to cuweblogin.cit.cornell.edu User logs in cuweblogin session cookie issued (cornell.edu, one time use) cuweblogin redirects to original URL CUWebAuth verifies cuweblogin cookie, destroys cookie CUWebAuth session cookie issued Web page access granted

9. How CUWebLogin works Web Server - CUWebAuth CUWebLogin - Server

10. CUWebLogin Processes

11. CUWebAuth After Login User goes to protected URL CUWebAuth decrypts and verifies CUWebAuth cookie Web page access granted

12. Single Sign-On curelogin cookie (cuweblogin.cit.cornell.edu) User logs in once, keeps browser open Can move between sites without repeating log in

13. Single Sign-On

14. POST Data CUWebAuth uses hidden fields Click to Proceed page POST data carried via hidden fields @ cuweblogin.cit.cornell.edu Works best with SSL IIS Performance

15. CUWebAuth Major Issues SideCar vulnerabilities Helpdesk handles WebSite issues Closing browser = logout Stale ticket cache Multiple address registrations for clusters URL truncation issue Need self-service for srvtab and CUWebAuth registration

16. CUWebAuth Vulnerabilities Site Cookie Replay (non-SSL) Use of require valid-user SideCar issues Keeping up-to-date on CUWA releases srvtab file needs to have access restricted IIS – keep up on latest patches Website security best practices

17. Roadmap Moving toward open-source (ongoing) Interim Release 1.3.x?......Spring ‘06 Support for Apache 2.2 Bug Fixes Kerberos 5 Release 1.4.....Summer ’06 K5 Only Addresses major issues Grouper/Signet…………….Spring ‘07

18. Help Web: http://identity.cit.cornell.eduhttp://identity.cit.cornell.edu Get a srvtab Download CUWebAuth Lookup CUSSP error codes Manage Permits E-mail: aadssupport@cornell.eduaadssupport@cornell.edu Get help Report a bug Feature requests

19. CUWebAuth Questions / Comments