Presentation is loading. Please wait.

Presentation is loading. Please wait.

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.

Published byDaniel Kirkpatrick Modified over 10 years ago

Similar presentations

Presentation on theme: "Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium."— Presentation transcript:

1 Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium

2 Open-source Single Sign-On with CAS Single Sign-On –Why SSO? –The main principles of web SSO –The choice of CAS CAS (Central Authentication Service) –How does it work? –How to CAS-ify applications Web applications Non-web applications Limits The effort of the ESUP-Portail consortium around CAS

3 Why Single Sign-On? Unique accounts but several authentications –Each time users access an application Security (password stealing) –Protect password transmission –Do not transmit passwords to applications Simplify applications Delegate developments without delegating authentication Abstract authentication –LDAP, NIS, database, NT, Active Directory, X509 certificates, …

4 SSO: the users point of view web browser app. #1app. #2app. #3 without SSO service web browser app. #1app. #2app. #3 with SSO service

5 SSO: principles on the web Authentication is centralized –One (redundant) authentication server Transparent HTTP redirections –From applications to the authentication server (when not authenticated) –From the authentication server to applications (when authenticated) Tokens propagate identities –Cookies, CGI parameters

6 CAS: why did we choose it? Security –Password is never transmitted to applications –Opaque tickets are used N-tier installations –Without transmitting any password! Portability (client libraries) –Java, Perl, JSP, ASP, PHP, PL/SQL, Apache and PAM modules Permanence –Developed by Yale University –World-wide used (mainly Universities) –Adopted by all the French educational community J2EE platform –Very light code (about 1000 lines) Open source Integrated into uPortal

7 web browser app. #1app. #2app. #3 with CAS service CAS: why did we choose it? web browser app. #1app. #2app. #3 authentication server without SSO user database service netId password

8 web browser app. #1app. #2app. #3 with CAS service CAS: why did we choose it? web browser app. #1app. #2app. #3 authentication server without SSO user database service netId password

9 User authentication CAS server HTTPS web browser

10 User authentication TGC: Ticket Granting Cookie –Users passport to the CAS server –Private and protected cookie (the only one used by CAS, optional) –Opaque re-playable ticket CAS server netId password HTTPS user database web browser TGC

11 Accessing an application after authentication web browser CAS server TGC HTTPS application TGC ST ST: Service Ticket –Browsers passport to the CAS client (application) –Opaque and non re-playable ticket –Very limited validity (a few seconds) ID

12 Accessing an application after authentication CAS server HTTPS TGC ST ID web browser TGC Redirections are transparent to users application ST: Service Ticket –Browsers passport to the CAS client (application) –Opaque and non re-playable ticket –Very limited validity (a few seconds)

13 Accessing an application without authentication web browser CAS server HTTPS Authentication form application

14 Accessing an application without authentication web browser CAS server TGC HTTPS ST ID netId password ST TGC No need to be previously authenticated to access an application application

15 Remarks Once a TGC acquired, authentication is transparent for the access to any CAS-ified application of the workspace Once authenticated by an application, a session should be used between the browser and the application

16 Authenticating users with CAS CAS authentication left to administrators ESUP-Portail CAS Generic Handler –Mixed authentication –XML configuration LDAP directory databaseNIS domain X509 certificates Kerberos domain Windows NT domain flat files CAS server

17 Using the ESUP-Portail CAS GH org.esupportail.cas.server.handlers.ldap.FastBindLdapHandler uid=%u,ou=people,dc=esup-portail,dc=org ldap://ldap.esup-portail.org org.esupportail.cas.server.handlers.nis.NisHandler ESUP-PORTAIL pammd5 nismaster.esup-portail.org nisslave.esup-portail.org

18 CAS-ifying a web application Use provided libraries Add a few lines of code Note: you can also protect static resources –With mod_cas, an Apache module

19 CAS-ifying a web application An example using phpCAS (ESUP-Portail) Successfull Authentication! User's login:.

20 N-tier installations PGT: Proxy Granting Ticket –Applications passport for a user to the CAS server –Opaque and re-playable ticket web browser CAS server TGC application (CAS proxy) ST service ID PGT

21 application (CAS proxy) N-tier installations web browser CAS server TGC ST service PGT PT ID PGT PGT: Proxy Granting Ticket –Applications passport for a user to the CAS server –Opaque and re-playable ticket PT : Proxy Ticket –Applications passport for a user to a tier service –Opaque and non re-playable ticket –Very limited validity PT

22 CAS-ifying a non web application One of the strongest points of CAS Use the pam_cas PAM module Example of PAM configuration: auth sufficient /lib/security/pam_ldap.so auth sufficient /lib/security/pam_pwdb.so shadow nullok auth required /lib/security/pam_cas.so

23 pam_cas The pam_cas PAM module Pam_cas authenticates users with a CAS ticket pam_pwdb client application pam_ldap LDAP directory login/password /etc/passwd login/password client application CAS server ticket server application login/ticket

24 CAS-ifying an IMAP server Objectives –Access an IMAP server from a web application that does not know the password of the user connected –Let traditional mail clients authenticate normally (with a password) –Do not modify the IMAP server The solution: pam_cas :-)

25 pam_cas CAS-ifying an IMAP server pam_pwdb traditional mail client pam_ldap LDAP directory login / password /etc/passwd login / password CAS-ified webmail (CAS proxy) login / PT CAS server PT web browser ST IMAP server

26 pam_cas pam_pwdb pam_ldap CAS-ifying Cyrus IMAPd traditional mail client LDAP directory login / password /etc/passwd CAS-ified webmail (CAS proxy) CAS server PT web browser ST sasl Cyrus imapd login / PT

27 pam_cas pam_pwdb pam_ldap sasl CAS-ifying Cyrus IMAPd traditional mail client Cyrus imapd LDAP directory login / password /etc/passwd CAS-ified webmail (CAS proxy) login / PT CAS server PT web browser ST sasl_authd cache Unix socket Cyrus IMAP daemon sasl_authd daemon Cache efficiency: 95%

28 Limits (and perspectives) CAS deals with authentication, not authorization –Mixing CAS and Shibboleth? No redundancy –No native load-balancing (but low load) –No fault-tolerance(but very good reliability) No Single Sign-Off A very poor documentation

29 The effort of the ESUP-Portail consortium Writing documentation Adding libraries (phpCAS, esup-mod_cas, esup-pam_cas) Adding features to the CAS server –Authentication handlers (LDAP, NIS, files, databases, NT domains, …) –Mixed authentication –Authentication debug mode –Rendering customization (appearance, internationalization) –CAS quick start (Jakarta Tomcat + Yale CAS server + CAS GH) Supporting the French CAS community –Through forums and mailing lists

30 Enjoy CAS!

Download ppt "Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium."

Similar presentations

Distributed Access Control System

Distributed Access Control System
Data storage and CMS Raymond Bourges – University of Rennes 1 (coordination) Pascal Aubry – University of Rennes 1 (specification) Thomas Bellembois –

Data storage and CMS Raymond Bourges – University of Rennes 1 (coordination) Pascal Aubry – University of Rennes 1 (specification) Thomas Bellembois –
Open-source Single Sign-On with CAS (Central Authentication Service)

Open-source Single Sign-On with CAS (Central Authentication Service)
Copyright © 2006 ESUP-Portail consortium The ESUP-Portail project (in a few words) Pascal Aubry Consortium ESUP-Portail / University.

Copyright © 2006 ESUP-Portail consortium The ESUP-Portail project (in a few words) Pascal Aubry Consortium ESUP-Portail / University.
ESUP-Portail: a pure WebDAV-based Network attached Storage Pierre Gambarotto Pascal Aubry.

ESUP-Portail: a pure WebDAV-based Network attached Storage Pierre Gambarotto Pascal Aubry.
EIONET Training Beginners Zope Course Miruna Bădescu Finsiel Romania Copenhagen, 27 October 2003.

EIONET Training Beginners Zope Course Miruna Bădescu Finsiel Romania Copenhagen, 27 October 2003.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Central Authentication Service (CAS). What is CAS? JA-SIG Central Authentication Service is an enterprise level, open-source, single sign on solution.

Central Authentication Service (CAS). What is CAS? JA-SIG Central Authentication Service is an enterprise level, open-source, single sign on solution.
Central Authentication Service Roadmap JA-SIG Winter 2004.

Central Authentication Service Roadmap JA-SIG Winter 2004.
METALOGIC s o f t w a r e © Metalogic Software Corporation 2004-2006 DACS Developer Overview DACS – the Distributed Access Control System.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
Shibboleth at Newcastle Caleb Racey Webteam ISS Shibboleth experiences Program  Background  What shib has enabled  Benefits of shib  How to do shib.

Shibboleth at Newcastle Caleb Racey Webteam ISS Shibboleth experiences Program  Background  What shib has enabled  Benefits of shib  How to do shib.
UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.

UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.
UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.

UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.
Teamcenter™ Security Services SSO

Teamcenter™ Security Services SSO
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
Apache Jakarta Tomcat 20041058 Suh, Junho. Road Map Tomcat Overview Tomcat Overview History History What is Tomcat? What is Tomcat? Servlet Container.

Apache Jakarta Tomcat Suh, Junho. Road Map Tomcat Overview Tomcat Overview History History What is Tomcat? What is Tomcat? Servlet Container.

Similar presentations

Ads by Google