Presentation is loading. Please wait.

Presentation is loading. Please wait.

Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.

Published byColin Neal Modified over 8 years ago

Similar presentations

Presentation on theme: "Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004."— Presentation transcript:

1 Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004

2 Outline Motivation and goals Motivation and goals Tools Tools Single sign-on Single sign-on Impersonation: Mapping certificates to accounts Impersonation: Mapping certificates to accounts Providing certificates to users Providing certificates to users Issues and actual status Issues and actual status Summary and conclusions Summary and conclusions

3 Motivation The environment: The environment: Services offered through web Services offered through web Applications using web servers as user interface Applications using web servers as user interface Clients on both Windows and Unix platforms Clients on both Windows and Unix platforms What we want (and what the users ask for): What we want (and what the users ask for): Authentication mechanism valid across platforms Authentication mechanism valid across platforms Single sign-on Single sign-on

4 Goal Letting users access authorized resources… Letting users access authorized resources… Restricted web pages Restricted web pages Web-based services (mail, …) Web-based services (mail, …) …without re-typing usernames and passwords (single sign-on) …without re-typing usernames and passwords (single sign-on)

5 Tools Two different technologies Two different technologies Kerberos Kerberos Well-known for certain applications Well-known for certain applications “Supported” by modern operating systems “Supported” by modern operating systems PKI/Certificates PKI/Certificates Widely spread Widely spread Portability across platforms Portability across platforms

6 Tools The drawbacks… The drawbacks… Kerberos Kerberos Incompatible extensions Incompatible extensions Few “kerberized” applications Few “kerberized” applications So, we decided to try PKI/Certificates as a base for a Single Sign-On mechanism. So, we decided to try PKI/Certificates as a base for a Single Sign-On mechanism.

7 Single Sign-on CERN users have accounts in both Unix and Windows environments CERN users have accounts in both Unix and Windows environments Services are not replicated in both systems Services are not replicated in both systems Logon and Authentication mechanisms are different Logon and Authentication mechanisms are different A user must type his/her credentials again and again A user must type his/her credentials again and again Can the PKI/Certificates help? Can the PKI/Certificates help?

8 Single Sign-on: basic web access PKI/Certificates can be used to protect access to web pages PKI/Certificates can be used to protect access to web pages They provide portable authentication and access control They provide portable authentication and access control Available for both Apache and IIS servers Available for both Apache and IIS servers … But this is mainly local access … But this is mainly local access What happens if the server needs to access remote data? What happens if the server needs to access remote data?

9 Single sign-on We must provide the user with a valid PKI/Certificate We must trust the web server It will impersonate the user! Web Server User Services

10 Impersonation in IIS Based on the Windows Identity Mapping mechanism Based on the Windows Identity Mapping mechanism Maps a certificate to a specific account Maps a certificate to a specific account The identity mapping can be managed at two different places: The identity mapping can be managed at two different places: The IIS server itself The IIS server itself The Active Directory The Active Directory

11 IIS mapping Specific to a web site Specific to a web site Flexible many-to-one mapping rules Flexible many-to-one mapping rules Based on issuer and subject of the certificate Based on issuer and subject of the certificate Provides a ticket valid for delegation Provides a ticket valid for delegation I.e. remote resources can be accessed I.e. remote resources can be accessed Username and password must be provided when setting the mapping Username and password must be provided when setting the mapping but they are not kept synchronized with windows accounts! but they are not kept synchronized with windows accounts!

12 AD mapping Common for all web sites in the domain Common for all web sites in the domain Limited many-to-one mapping Limited many-to-one mapping There is a single account for all the certificates coming from the same issuer CA There is a single account for all the certificates coming from the same issuer CA One-to-one mapping is the most convenient One-to-one mapping is the most convenient Provides a ticket valid for delegation since Windows.NET Server/IIS 6.0 Provides a ticket valid for delegation since Windows.NET Server/IIS 6.0

13 AD mapping (II) Two flavors: manual and automatic Two flavors: manual and automatic In manual mapping, the administrator must specify which certificate maps into which account (can be done programmatically) In manual mapping, the administrator must specify which certificate maps into which account (can be done programmatically) In automatic mapping, the certificate must contain an extension (subjectAltName), with the User Principal Name (UPN) of the account in the otherName field In automatic mapping, the certificate must contain an extension (subjectAltName), with the User Principal Name (UPN) of the account in the otherName field No explicit mapping is needed No explicit mapping is needed Originally designed for smart cards Originally designed for smart cards

14 Impersonation in Apache Impersonation via Kerberos ticket Impersonation via Kerberos ticket Uses extra software: Kerberos leveraged PKI Uses extra software: Kerberos leveraged PKI KCT (Kerberos Certificate Translation) KCT (Kerberos Certificate Translation) Mod_KCT (Apache module) Mod_KCT (Apache module) Procedure: Procedure: The user sends a PKI/Certificate (obtained through the KCA) to Apache The user sends a PKI/Certificate (obtained through the KCA) to Apache Apache uses KCT to recover the user’s Kerberos ticket Apache uses KCT to recover the user’s Kerberos ticket Apache uses the ticket to access user’s remote resources Apache uses the ticket to access user’s remote resources

15 Providing certificates to users There is a risk of users not taking care of their certificates… There is a risk of users not taking care of their certificates… It should be a transparent mechanism It should be a transparent mechanism It should be easy It should be easy It should be secure It should be secure Both Unix and Windows users receive a Kerberos ticket during logon Both Unix and Windows users receive a Kerberos ticket during logon We can issue a PKI/Certificate for a Kerberos ticket We can issue a PKI/Certificate for a Kerberos ticket

16 Providing certificates to Users Kerberos Leveraged PKI Kerberos Leveraged PKI Credentia l Cache Login KDC KCA Browser LibPKCS11 Web Server

17 Providing certificates to users KCA (Kerberized CA) supports Kerberos V (Windows 2000 compatible) KCA (Kerberized CA) supports Kerberos V (Windows 2000 compatible) KCA clients are available for Unix and Windows KCA clients are available for Unix and Windows PKCS11 library (smart card emulation) is also available for Unix and Windows PKCS11 library (smart card emulation) is also available for Unix and Windows We have short term certificates We have short term certificates

18 Issues: certificate restrictions The user certificate must contain a series of extensions properly filled and encoded, so that the web server accepts it and maps it to the right account. The user certificate must contain a series of extensions properly filled and encoded, so that the web server accepts it and maps it to the right account. subjectAltName subjectAltName cRLDistributionPoint cRLDistributionPoint keyUsage keyUsage extendedKeyUsage extendedKeyUsage Expiration date properly set Expiration date properly set Possible CAs: Possible CAs: Microsoft recommends MS Enterprise CA Microsoft recommends MS Enterprise CA Entrust CA also works Entrust CA also works … We used OpenSSL… … We used OpenSSL…

19 Issues: server side CA restrictions It is possible to use a non-MS CA with an IIS server, but… It is possible to use a non-MS CA with an IIS server, but… … it should behave as Microsoft’s one … it should behave as Microsoft’s one The CA certificate must be added to the NTAuth store in the registry… manually. The CA certificate must be added to the NTAuth store in the registry… manually. It should create the same AD entries and fill them properly It should create the same AD entries and fill them properly Certificates and CRLs must be published in the AD Certificates and CRLs must be published in the AD

20 Issues: web applications Lack of integration between the authentication mechanisms for the web servers and the applications behind them Lack of integration between the authentication mechanisms for the web servers and the applications behind them First, authenticate with the web server… First, authenticate with the web server… Then, authenticate again with the application! Then, authenticate again with the application! E.g. some web mail applications… E.g. some web mail applications… Despite the necessary security infrastructure being there, some applications keep Despite the necessary security infrastructure being there, some applications keep Using their own security mechanisms Using their own security mechanisms … or using it only “internally”. … or using it only “internally”.

21 Status Linu x Box Windows 2000 KDC Linux KCA OpenSSL CA Web Browser (Mozilla) Lib PKCS11 Windows 2003 IIS 6.0 AD Resources Certificate Template Win Box MS CA? Unix Apache Mod_KCT KCT MIT KDC

22 Summary and conclusions In theory, it is possible to achieve cross-platform single sign-on In theory, it is possible to achieve cross-platform single sign-on But full functionality has issues… But full functionality has issues… Lots of components involved (KDC, KCA, AD…) Lots of components involved (KDC, KCA, AD…) Compatibility (not fully documented requirements) Compatibility (not fully documented requirements) Intrinsic limitations Intrinsic limitations Extensions not present in the KCA certificates Extensions not present in the KCA certificates Integration between applications and servers Integration between applications and servers

23 Questions?

Download ppt "Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004."

Similar presentations

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Planning a Public Key Infrastructure

Planning a Public Key Infrastructure
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
UNIX & W2K A single sign-on solution for a Kerberos V based AFS cell Enrico M.V. Fasanelli & Fulvio Ricciardi I.N.F.N. – Sezione di Lecce.

UNIX & W2K A single sign-on solution for a Kerberos V based AFS cell Enrico M.V. Fasanelli & Fulvio Ricciardi I.N.F.N. – Sezione di Lecce.
Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.

Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

Similar presentations

Ads by Google