Central Authentication Central Authentication ServiceService

RoadmapRoadmap

JA-SIG Winter 2004JA-SIG Winter 2004

A new CAS PresentationA new CAS Presentation

What is CAS? (Enterprise Single Sign On)What is CAS? (Enterprise Single Sign On)What’s new with CAS? (new CAS Java What’s new with CAS? (new CAS Java

Client)Client)What’s using CAS? (Acegi)What’s using CAS? (Acegi)Where is CAS going? (Roadmap)Where is CAS going? (Roadmap)Resources?Resources?

What is CAS?What is CAS?

Enterprise Web Single-sign-onEnterprise Web Single-sign-onYour users authenticate to CASYour users authenticate to CAS

Only CAS sees user passwordsOnly CAS sees user passwordsYour applications receive assurance of Your applications receive assurance of

authentication from CASauthentication from CAS

CAS as TrustedCAS as Trusted

CAS is the Trusted IntermediaryCAS is the Trusted Intermediary

The Bad Old DaysThe Bad Old Days

Log in to each applicationLog in to each applicationApplication A Application B Application C

Application D Application E Application F

ExamplesExamples

We’re going to walk through two examples We’re going to walk through two examples demonstrating CAS’s features.demonstrating CAS’s features.

Example: Network registrationExample: Network registration

Welcome to Our University Network Welcome to Our University Network Registration.Registration.

First, you need to log in:First, you need to log in:

CAS LoginCAS Login

CAS redirects back to CAS redirects back to applicationapplication

Places ticket=ABCDEFG123 on the Places ticket=ABCDEFG123 on the requestrequest

Application receives ticketApplication receives ticket

Validates ticket with CAS serverValidates ticket with CAS server

<cas:serviceResponse <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:authenticationSuccess> <cas:user>awp9</cas:user> <cas:user>awp9</cas:user> </cas:authenticationSuccess></cas:authenticationSuccess>

</cas:serviceResponse> </cas:serviceResponse>

Okay, user is authenticatedOkay, user is authenticated

Notice: The user didn’t give her password Notice: The user didn’t give her password to the application itself.to the application itself.

CAS VocabularyCAS Vocabulary

Ticket – it’s longish random String.Ticket – it’s longish random String.Ticket Granting Ticket / Ticket Granting Ticket Granting Ticket / Ticket Granting

Cookie – a CAS session identifierCookie – a CAS session identifier

Service TicketService TicketProxy Granting TicketProxy Granting TicketProxy TicketProxy Ticket

Example 2: uPortal & SSOExample 2: uPortal & SSO

Great, we’ve authenticated. Now let’s visit Great, we’ve authenticated. Now let’s visit our uPortal:our uPortal:

CAS does not displayCAS does not display

Reads the secure cookie from the browser Reads the secure cookie from the browser session.session.

Single sign on.Single sign on.Redirects back to uPortal with the ticket.Redirects back to uPortal with the ticket.

uPortal validates the ticketuPortal validates the ticket

And requests a Proxy Granting Ticket.And requests a Proxy Granting Ticket.

Authenticated to uPortalAuthenticated to uPortal

Proxying to get my mailProxying to get my mail

uPortal uses PGT to get PT for mail XML uPortal uses PGT to get PT for mail XML service, requests mail XML serviceservice, requests mail XML service

Mail XML service receives PT, validates it, Mail XML service receives PT, validates it, and gets a PGT.and gets a PGT.

Mail XML service gets PT for IMAP server, Mail XML service gets PT for IMAP server, presents to IMAP server.presents to IMAP server.

IMAP server delegates to PAM_CAS to IMAP server delegates to PAM_CAS to validate the PT.validate the PT.

The resultThe result

Recent Email ChannelRecent Email Channel

EmailServlet uPortal

IMAPServer

XML

CAS

PGT

PT

NetID

IMAP session

S

PT

PT

NetID

ProxyIDs

What is CAS?What is CAS?

CAS is web SSO.CAS is web SSO.CAS is a concrete (Java Servlets) CAS is a concrete (Java Servlets)

implementation.implementation.CAS is a constellation of client libraries, CAS is a constellation of client libraries,

including PAM, Apache modules, including PAM, Apache modules, Java .jars, php, perl, …Java .jars, php, perl, …

What’s new? CAS Java ClientWhat’s new? CAS Java Client

Version 2.1.0Version 2.1.0

CASFilterCASFilter

CAS Java Servlet FilterCAS Java Servlet Filter

Renew and Gateway featuresRenew and Gateway featuresOptionally set the remoteUserOptionally set the remoteUserAllows multiple authorized proxiesAllows multiple authorized proxies

CASReceiptCASReceipt

CASReceipt represents results from CAS CASReceipt represents results from CAS authenticationauthentication

Exposed in the session by CASFilterExposed in the session by CASFilter

Filter CompositionFilter Composition

Subsequent filters can examine the results Subsequent filters can examine the results of CAS authentication:of CAS authentication:

ProxyChainScrutinizerFilterProxyChainScrutinizerFilter

Commons loggingCommons logging

CAS Java Client 2.1.xCAS Java Client 2.1.x

uPortal: uPortal: YaleCASFilteredContextYaleCASFilteredContext

Use CASValidateFilter to accomplish the Use CASValidateFilter to accomplish the actual ticket validation – actual ticket validation – YaleCASFilteredContext just consumes YaleCASFilteredContext just consumes the CASReceipt.the CASReceipt.

The approachThe approach

CASFilter

Additional filtering

Your application

What’s new: AcegiWhat’s new: Acegi

What’s new: AcegiWhat’s new: Acegi

Acegi is an authentication/authorization Acegi is an authentication/authorization framework that works well with Springframework that works well with Spring

It supports CAS for enterprise single sign It supports CAS for enterprise single sign onon

A layer of abstraction beyond the CAS A layer of abstraction beyond the CAS Java Client.Java Client.

RoadmapRoadmap

Where is CAS going?Where is CAS going?

Formalization of CAS protocolFormalization of CAS protocolSAML as the language for CAS requests SAML as the language for CAS requests

and responsesand responses Interface-rich, more pluggable server Interface-rich, more pluggable server

implementationimplementation

Formalization of CAS protocolFormalization of CAS protocol

Before CAS can be re-implemented, we Before CAS can be re-implemented, we need a formal specification of exactly what need a formal specification of exactly what protocol it implemented the first time.protocol it implemented the first time.

SAMLSAML

CAS 2.0 uses ad-hoc XML. This was CAS 2.0 uses ad-hoc XML. This was simple, worked well.simple, worked well.

CAS 3.0 will additionally support SAML. CAS 3.0 will additionally support SAML. More complex, but more standards More complex, but more standards compliant.compliant.

CAS as the authentication piece in a CAS as the authentication piece in a Shibboleth installation.Shibboleth installation.

AssertionsAssertions

CAS SAML assertions of who logged in CAS SAML assertions of who logged in how whenhow when

Attribute assertionsAttribute assertionsPGTs are attributes?PGTs are attributes?

Details not yet fully definedDetails not yet fully defined

Attribute assertionsAttribute assertions

Common use case: now that you’ve Common use case: now that you’ve authenticated your user, you want some authenticated your user, you want some attributesattributes

SAML language allows us to assert SAML language allows us to assert attributes other than the user name at attributes other than the user name at ticket validationticket validation

SSL callback and client certsSSL callback and client certs

CAS uses an https: callback to CAS uses an https: callback to authenticate the serviceauthenticate the service

Signed SAML requests provide us an Signed SAML requests provide us an alternativealternative

Interface-rich, more pluggableInterface-rich, more pluggable

Old model: you download CAS and then Old model: you download CAS and then hack away at it to make it meet your hack away at it to make it meet your needs.needs.

New model: you plug in local changes at New model: you plug in local changes at well-defined extension pointswell-defined extension points

Load Balancing CASLoad Balancing CAS

Why not to do thisWhy not to do this

Default: ticket store backed by in-memory Default: ticket store backed by in-memory cachecache

Possible: ticket store backed by RDBMSPossible: ticket store backed by RDBMSPossible: ticket store backed by [pick your Possible: ticket store backed by [pick your

favorite cache implementation]favorite cache implementation]

Whitelisting servicesWhitelisting services

Why not to do thisWhy not to do this

Possible: impose whitelist at ticket Possible: impose whitelist at ticket validation layervalidation layer

Authentication itselfAuthentication itself

CAS PasswordHandlersCAS PasswordHandlers

CasGenericHandler – more ad-hoc XML CasGenericHandler – more ad-hoc XML confgurationconfguration

Instead wire together using SpringInstead wire together using Spring

““Single Sign Out”Single Sign Out”

Why not to do thisWhy not to do this

But if we’re going to do this, let’s at least But if we’re going to do this, let’s at least make it easier to maintain the local modmake it easier to maintain the local mod

Or maybe an optional aspect of the Or maybe an optional aspect of the protocol – standardize without requiringprotocol – standardize without requiring

Extension points?Extension points?

Others?Others?

Rutgers and their fine workRutgers and their fine work

ResourcesResources

New CAS documentation (Wiki)New CAS documentation (Wiki)Active mailing listActive mailing list

The larger CAS communityThe larger CAS community

Contact informationContact information

http://www.yale.edu/its/tp/http://www.yale.edu/its/tp/andrew.petro@yale.eduandrew.petro@yale.edu

ddrew.mazurek@yale.edurew.mazurek@yale.edu

cas@tp.its.yale.educas@tp.its.yale.edu