Presentation is loading. Please wait.

Presentation is loading. Please wait.

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

Published byAnis Hubbard Modified over 8 years ago

Similar presentations

Presentation on theme: "TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004."— Presentation transcript:

1 TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004

2 TNC2004 Rhodes 2 Yet another mailing list manager CRU (french higher education network technical team) Scalability (Kilo-Lists, Mega-Subscribers) Advanced features (subscriber preferred mail format, list document repository, …) Interfaces : mail robot, web and SOAP A full service web portal including administration at list and robot level Virtual hosting Internationalized (14 languages) Dynamic mailing list extracted from LDAP directories (or SQL servers)

3 TNC2004 Rhodes 3 Authentication methodInterface Sender confirmation challengemail Password (allocation by email)web LDAP authN backendweb SSO: CAS SSO: Shibboleth Web & SOAP Web User certificateMail: S/MIME Web: HTTPS

4 TNC2004 Rhodes 4 Multiple authentication methods We want Sympa opened to any users and at the same time to interface with user’s home authentication services when available : Support multiple authentication service at the same time. Choose the appropriate authentication server depending on the user email domain if possible

5 TNC2004 Rhodes 5 X509 user authentication Web : using mod_ssl environment variables inheritance. S/MIME signature : –Check if the sender and the signer are the same. –When mail subject is used for robot command, do not apply the s/mime authN method because headers are not part of the signature –use internally “openssl smime” command which does not check certificate status using CRL or OCSP Sympa also support S/MIME encryption message distribution (accept message encrypted using list certificate and encrypt message for each subscriber) http://www.sympa.org/documentation/article_smime/sympasmime.html

6 TNC2004 Rhodes 6 Central Authentication Service Yale university web Single Sign On Use cookie, redirections and a ticket that need to be validated against CAS server Support proxy credential : needed for Uportal Sympa’s channel. Not so easy to introduce into Sympa because CAS has not been designed to interoperate with any other authentication system.

7 TNC2004 Rhodes 7 CAS Client Sympa Redirection ticket=17429 Welcome smith@dom.ed u Who is he ? ticket=17429 ID=smith Search email for ID=smith Email : smith@dom.ed u LDAP redirection. Is that user authenticated ? Sympa interaction with one CAS server

8 TNC2004 Rhodes 8 CAS 1 CAS 2 Client Sympa non bloking redirection. Is that user authenticated ? no Non bloking redirection. Is that user authenticated ? yes ticket=17429 Welcome smith@dom.edu Who is he ? ticket=17429 ID=smith Interaction with multiple CAS servers

9 TNC2004 Rhodes 9 CAS 1 CAS 2 Client Sympa Welcome smith@dom.edu WAYF ? redirection. Is that user authenticated ? User : ? Password ? yes ticket=17429 Who is he ? ticket=17429 ID=smith Interaction with a chosen CAS server

10 TNC2004 Rhodes 10 What happens if one CAS server is out of order ? Any redirection is a dead end Choose by configuration for each CAS server if non blocking redirection is enabled Ping all CAS servers periodically to detect servers down (todo)

11 TNC2004 Rhodes 11 What about “CAS logout” ? Sympa stores the authentication method used in order to propose appropriate logout button Sympa erases its own session cookie and redirects the user to the CAS logout URL CAS has some insufficiencies about logout: there is no central logout service

12 TNC2004 Rhodes 12 link to use https basic password login with Sympa database backend or some ldap servers WAYF

13 TNC2004 Rhodes 13 X 509 Internal DB LDAP CAS Internal user attributes Shibboleth AuthZ scenario engine Authentication User attribute management Access control Authentication/Authorization

14 TNC2004 Rhodes 14 Managing access control in Sympa Separated from the authentication process (can also be applied to unauthenticated users) Configured for each list and each feature (subscribe, send, review,visibility…) Extensible behavior using authorization scenarios (distributed with a set of 100) Authorization is applied the same way on all 3 interfaces (mail, web, soap)

15 TNC2004 Rhodes 15 Authorization scenarios Sympa’s native ACL separated from the code A scenario is evaluated to provide (or not) access to a feature of Sympa –make the web interface highly adapted to the user’s profile (inaccessible features are not advertised) A scenario is made of ordered rules A rule is made of : –A condition –An authentication method –An action (decision) Condition can use LDAP user attributes

16 TNC2004 Rhodes 16 A sample authorization scenario for message distribution Expected behavior : –Private mailing list –Moderated for multipart messages –S/MIME (or HTTPS) authentication required for moderators is_editor([list->name],[sender]) md5,smime -> do_it ! is_subscriber([list->name],[sender]) smtp,md5,smime -> reject match([msg_header->Content-type],/multipart/) smtp,md5,smime -> editor true() smtp,md5,smime -> do_it Note that : Scenario evaluated line by line Scenario evaluation stops when a condition is matched md5 means : the sender’s email address has been verified with an md5 challenge

17 TNC2004 Rhodes 17 Shibboleth architecture Developped by Internet2 Glue between local Single Sign-on servers to provide inter-institutional sharing of web ressources Shibboleth architecture made of 3 components : –Origin : installed in the user home organisation ; front- end to the local authN system and attributes database –Target : installed in front of a web ressource to control its access ; communicates with origin components –WAYF (Where Are You From) : the central component shared by a group of organization ; guides users to the origin component at their home org.

18 TNC2004 Rhodes 18 Shibboleth and Sympa Usage / Prerequisites Usage : –Building inter-institutional mailing lists with a strict definition of the targeted population Prerequisites for each institutions: –Local SSO + Shibboleth « target » package –Common definition of user attributes semantic (study branches, staff categories,…)

19 TNC2004 Rhodes 19 public area restricted area login Ressource Manager User attributes Attribute Authority Handle Service Origin WAYF SHARSHIRE Target identity attributes ShibbolethSympa

20 TNC2004 Rhodes 20 Access control based on Shibboleth user attributes Shibboleth user attributes : –Inherited via environment variables –Stored as session data in Sympa DB –Used in the authorization scenario engine Scenario sample rule: # check if the user is a geology or archeology student equal([user_attributes->SHIB_STUDY_BRANCH],’geology’) md5 -> do_it equal([user_attributes->SHIB_STUDY_BRANCH],’archeology’) md5 -> do_it

21 TNC2004 Rhodes 21 Conclusion Sympa users include French academic institutions + foreign universities. They are driving the developments. AA development plans: –SAML authentication on the SOAP interface –Building the « user attributes » layer in Sympa architecture –Validating/introducing Sympa with other Single Sign- On servers… http://www.sympa.org

Download ppt "TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004."

Similar presentations

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.
Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.

Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.
OhioNET EZProxy Service

OhioNET EZProxy Service
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.

Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.

Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Similar presentations

Ads by Google