Central Authentication Service Roadmap JA-SIG Winter 2004.
-
Upload
macy-loving -
Category
Documents
-
view
223 -
download
0
Transcript of Central Authentication Service Roadmap JA-SIG Winter 2004.
Central Authentication Central Authentication ServiceService
RoadmapRoadmap
JA-SIG Winter 2004JA-SIG Winter 2004
A new CAS PresentationA new CAS Presentation
What is CAS? (Enterprise Single Sign On)What is CAS? (Enterprise Single Sign On)What’s new with CAS? (new CAS Java What’s new with CAS? (new CAS Java
Client)Client)What’s using CAS? (Acegi)What’s using CAS? (Acegi)Where is CAS going? (Roadmap)Where is CAS going? (Roadmap)Resources?Resources?
What is CAS?What is CAS?
Enterprise Web Single-sign-onEnterprise Web Single-sign-onYour users authenticate to CASYour users authenticate to CAS
Only CAS sees user passwordsOnly CAS sees user passwordsYour applications receive assurance of Your applications receive assurance of
authentication from CASauthentication from CAS
CAS as TrustedCAS as Trusted
CAS is the Trusted IntermediaryCAS is the Trusted Intermediary
The Bad Old DaysThe Bad Old Days
Log in to each applicationLog in to each applicationApplication A Application B Application C
Application D Application E Application F
ExamplesExamples
We’re going to walk through two examples We’re going to walk through two examples demonstrating CAS’s features.demonstrating CAS’s features.
Example: Network registrationExample: Network registration
Welcome to Our University Network Welcome to Our University Network Registration.Registration.
First, you need to log in:First, you need to log in:
CAS LoginCAS Login
CAS redirects back to CAS redirects back to applicationapplication
Places ticket=ABCDEFG123 on the Places ticket=ABCDEFG123 on the requestrequest
Application receives ticketApplication receives ticket
Validates ticket with CAS serverValidates ticket with CAS server
<cas:serviceResponse <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:authenticationSuccess> <cas:user>awp9</cas:user> <cas:user>awp9</cas:user> </cas:authenticationSuccess></cas:authenticationSuccess>
</cas:serviceResponse> </cas:serviceResponse>
Okay, user is authenticatedOkay, user is authenticated
Notice: The user didn’t give her password Notice: The user didn’t give her password to the application itself.to the application itself.
CAS VocabularyCAS Vocabulary
Ticket – it’s longish random String.Ticket – it’s longish random String.Ticket Granting Ticket / Ticket Granting Ticket Granting Ticket / Ticket Granting
Cookie – a CAS session identifierCookie – a CAS session identifier
Service TicketService TicketProxy Granting TicketProxy Granting TicketProxy TicketProxy Ticket
Example 2: uPortal & SSOExample 2: uPortal & SSO
Great, we’ve authenticated. Now let’s visit Great, we’ve authenticated. Now let’s visit our uPortal:our uPortal:
CAS does not displayCAS does not display
Reads the secure cookie from the browser Reads the secure cookie from the browser session.session.
Single sign on.Single sign on.Redirects back to uPortal with the ticket.Redirects back to uPortal with the ticket.
uPortal validates the ticketuPortal validates the ticket
And requests a Proxy Granting Ticket.And requests a Proxy Granting Ticket.
Authenticated to uPortalAuthenticated to uPortal
Proxying to get my mailProxying to get my mail
uPortal uses PGT to get PT for mail XML uPortal uses PGT to get PT for mail XML service, requests mail XML serviceservice, requests mail XML service
Mail XML service receives PT, validates it, Mail XML service receives PT, validates it, and gets a PGT.and gets a PGT.
Mail XML service gets PT for IMAP server, Mail XML service gets PT for IMAP server, presents to IMAP server.presents to IMAP server.
IMAP server delegates to PAM_CAS to IMAP server delegates to PAM_CAS to validate the PT.validate the PT.
The resultThe result
Recent Email ChannelRecent Email Channel
EmailServlet uPortal
IMAPServer
XML
CAS
PGT
PT
NetID
IMAP session
S
PT
PT
NetID
ProxyIDs
What is CAS?What is CAS?
CAS is web SSO.CAS is web SSO.CAS is a concrete (Java Servlets) CAS is a concrete (Java Servlets)
implementation.implementation.CAS is a constellation of client libraries, CAS is a constellation of client libraries,
including PAM, Apache modules, including PAM, Apache modules, Java .jars, php, perl, …Java .jars, php, perl, …
What’s new? CAS Java ClientWhat’s new? CAS Java Client
Version 2.1.0Version 2.1.0
CASFilterCASFilter
CAS Java Servlet FilterCAS Java Servlet Filter
Renew and Gateway featuresRenew and Gateway featuresOptionally set the remoteUserOptionally set the remoteUserAllows multiple authorized proxiesAllows multiple authorized proxies
CASReceiptCASReceipt
CASReceipt represents results from CAS CASReceipt represents results from CAS authenticationauthentication
Exposed in the session by CASFilterExposed in the session by CASFilter
Filter CompositionFilter Composition
Subsequent filters can examine the results Subsequent filters can examine the results of CAS authentication:of CAS authentication:
ProxyChainScrutinizerFilterProxyChainScrutinizerFilter
Commons loggingCommons logging
CAS Java Client 2.1.xCAS Java Client 2.1.x
uPortal: uPortal: YaleCASFilteredContextYaleCASFilteredContext
Use CASValidateFilter to accomplish the Use CASValidateFilter to accomplish the actual ticket validation – actual ticket validation – YaleCASFilteredContext just consumes YaleCASFilteredContext just consumes the CASReceipt.the CASReceipt.
The approachThe approach
CASFilter
Additional filtering
Your application
What’s new: AcegiWhat’s new: Acegi
What’s new: AcegiWhat’s new: Acegi
Acegi is an authentication/authorization Acegi is an authentication/authorization framework that works well with Springframework that works well with Spring
It supports CAS for enterprise single sign It supports CAS for enterprise single sign onon
A layer of abstraction beyond the CAS A layer of abstraction beyond the CAS Java Client.Java Client.
RoadmapRoadmap
Where is CAS going?Where is CAS going?
Formalization of CAS protocolFormalization of CAS protocolSAML as the language for CAS requests SAML as the language for CAS requests
and responsesand responses Interface-rich, more pluggable server Interface-rich, more pluggable server
implementationimplementation
Formalization of CAS protocolFormalization of CAS protocol
Before CAS can be re-implemented, we Before CAS can be re-implemented, we need a formal specification of exactly what need a formal specification of exactly what protocol it implemented the first time.protocol it implemented the first time.
SAMLSAML
CAS 2.0 uses ad-hoc XML. This was CAS 2.0 uses ad-hoc XML. This was simple, worked well.simple, worked well.
CAS 3.0 will additionally support SAML. CAS 3.0 will additionally support SAML. More complex, but more standards More complex, but more standards compliant.compliant.
CAS as the authentication piece in a CAS as the authentication piece in a Shibboleth installation.Shibboleth installation.
AssertionsAssertions
CAS SAML assertions of who logged in CAS SAML assertions of who logged in how whenhow when
Attribute assertionsAttribute assertionsPGTs are attributes?PGTs are attributes?
Details not yet fully definedDetails not yet fully defined
Attribute assertionsAttribute assertions
Common use case: now that you’ve Common use case: now that you’ve authenticated your user, you want some authenticated your user, you want some attributesattributes
SAML language allows us to assert SAML language allows us to assert attributes other than the user name at attributes other than the user name at ticket validationticket validation
SSL callback and client certsSSL callback and client certs
CAS uses an https: callback to CAS uses an https: callback to authenticate the serviceauthenticate the service
Signed SAML requests provide us an Signed SAML requests provide us an alternativealternative
Interface-rich, more pluggableInterface-rich, more pluggable
Old model: you download CAS and then Old model: you download CAS and then hack away at it to make it meet your hack away at it to make it meet your needs.needs.
New model: you plug in local changes at New model: you plug in local changes at well-defined extension pointswell-defined extension points
Load Balancing CASLoad Balancing CAS
Why not to do thisWhy not to do this
Default: ticket store backed by in-memory Default: ticket store backed by in-memory cachecache
Possible: ticket store backed by RDBMSPossible: ticket store backed by RDBMSPossible: ticket store backed by [pick your Possible: ticket store backed by [pick your
favorite cache implementation]favorite cache implementation]
Whitelisting servicesWhitelisting services
Why not to do thisWhy not to do this
Possible: impose whitelist at ticket Possible: impose whitelist at ticket validation layervalidation layer
Authentication itselfAuthentication itself
CAS PasswordHandlersCAS PasswordHandlers
CasGenericHandler – more ad-hoc XML CasGenericHandler – more ad-hoc XML confgurationconfguration
Instead wire together using SpringInstead wire together using Spring
““Single Sign Out”Single Sign Out”
Why not to do thisWhy not to do this
But if we’re going to do this, let’s at least But if we’re going to do this, let’s at least make it easier to maintain the local modmake it easier to maintain the local mod
Or maybe an optional aspect of the Or maybe an optional aspect of the protocol – standardize without requiringprotocol – standardize without requiring
Extension points?Extension points?
Others?Others?
Rutgers and their fine workRutgers and their fine work
ResourcesResources
New CAS documentation (Wiki)New CAS documentation (Wiki)Active mailing listActive mailing list
The larger CAS communityThe larger CAS community
Contact informationContact information
http://www.yale.edu/its/tp/http://www.yale.edu/its/tp/[email protected]@yale.edu
[email protected]@yale.edu
[email protected]@tp.its.yale.edu