Connecting Web and Kerberos Single Sign On
Transcript of Connecting Web and Kerberos Single Sign On
![Page 1: Connecting Web and Kerberos Single Sign On](https://reader031.fdocuments.net/reader031/viewer/2022021210/620648bc8c2f7b1730063de3/html5/thumbnails/1.jpg)
Akademska in raziskovalna mreža Slovenije
Connecting Web and Kerberos Connecting Web and Kerberos Single Sign OnSingle Sign On
Rok Papež[email protected]
Terena networking conferenceMalaga, Spain, 10.6.2009
![Page 2: Connecting Web and Kerberos Single Sign On](https://reader031.fdocuments.net/reader031/viewer/2022021210/620648bc8c2f7b1730063de3/html5/thumbnails/2.jpg)
Akademska in raziskovalna mreža Slovenije
Authentication protocol– (No) authorization
Single Sign On (SSO)Cerberus– Greek and Roman mythology– 3 headed dog guarding the gates of Hades
MIT Project Athena– Versions 1-3 internal only– Version 4 – 1989 (public software release)
• DES only, Protocol flaws, End of life
– Version 5 – 1993 (RFC 1510)– GSS-API – Generic security services API – IETF Kerberos working group
KerberosKerberos
![Page 3: Connecting Web and Kerberos Single Sign On](https://reader031.fdocuments.net/reader031/viewer/2022021210/620648bc8c2f7b1730063de3/html5/thumbnails/3.jpg)
Akademska in raziskovalna mreža Slovenije
MIT Kerberos– Krb5-1.6.3– Krb5-1.7 beta (22.4.)– Most popular– Subject to USA cryptography export regulations
Heimdal– Heimdal-1.2.1– Developed in Sweden– Better security track record– More features
Microsoft Windows 2000 and later– ActiveDirectory default authentication protocol– AuthZ extension: PAC – Privilege Access Certificate
Kerberos implementationsKerberos implementations
![Page 4: Connecting Web and Kerberos Single Sign On](https://reader031.fdocuments.net/reader031/viewer/2022021210/620648bc8c2f7b1730063de3/html5/thumbnails/4.jpg)
Akademska in raziskovalna mreža Slovenije
Inband for different protocols– IMAP, POP, Telnet, SSH, Cisco routers ...
3rd party trust point - KDC– KDC – Key Distribution Center– Symmetric key cryptography
Client acquires TGT from KDC– TGT - Ticket Granting Ticket– Client-KDC trust via shared secret – password– User prompted for password!User prompted for password!
Client uses TGT to request Service ticket from KDC– User isn't prompted for password– KDC issues a time limited Service ticket for ServiceX
How Kerberos worksHow Kerberos works
![Page 5: Connecting Web and Kerberos Single Sign On](https://reader031.fdocuments.net/reader031/viewer/2022021210/620648bc8c2f7b1730063de3/html5/thumbnails/5.jpg)
Akademska in raziskovalna mreža Slovenije
Kerberos diagramKerberos diagram
![Page 6: Connecting Web and Kerberos Single Sign On](https://reader031.fdocuments.net/reader031/viewer/2022021210/620648bc8c2f7b1730063de3/html5/thumbnails/6.jpg)
Akademska in raziskovalna mreža Slovenije
Kerberos demoKerberos demo
Cheat sheet:– kinit– klist [-v] – kgetcred <service> – kdestroy [--credential=service]
Video demo!(screencast of user accessing Kerberos protected resource
and using various tools to display Kerberos tickets)
![Page 7: Connecting Web and Kerberos Single Sign On](https://reader031.fdocuments.net/reader031/viewer/2022021210/620648bc8c2f7b1730063de3/html5/thumbnails/7.jpg)
Akademska in raziskovalna mreža Slovenije
Bad administrator documentationHorrible developer documentationQuestionable security track recordNot suitable to run as a „public“ internet service– From design-on treated as a LAN or campus service– Static 2-way or spoke and hub inter-realm trust– Always firewalled
Bad authorization support– Kerberos doesn't provide much data– Kerberos AutZ in application: check if userID is present
SPNEGO for web applications– Simple and protected GSSAPI Negotiation mechanism– Limited to local network use
Kerberos shortcomingsKerberos shortcomings
![Page 8: Connecting Web and Kerberos Single Sign On](https://reader031.fdocuments.net/reader031/viewer/2022021210/620648bc8c2f7b1730063de3/html5/thumbnails/8.jpg)
Akademska in raziskovalna mreža Slovenije
Distributed AAI using SAMLDistributed AAI using SAML
SAML – Security Assertion Markup Language– Data format / standard
Web applications– Seperate login from application– Single Sign On (SSO)– User authenticates via „login application“
• IdP – Identity Provider
– Authorization data sent to „service application“• SP – Service Provider• Module in web server• Application library
SAML 1.0 – OASIS standard, 2002SAML 2.0 – OASIS standard, 2005
![Page 9: Connecting Web and Kerberos Single Sign On](https://reader031.fdocuments.net/reader031/viewer/2022021210/620648bc8c2f7b1730063de3/html5/thumbnails/9.jpg)
Akademska in raziskovalna mreža Slovenije
SAML-AAI implementationsSAML-AAI implementations
Shibboleth IdP, SP– http://shibboleth.internet2.edu/ – Older– Very configurable– Java
SimpleSAMLphp IdP, SP– http://rnd.feide.no/simplesamlphp – Newer– Very easy to use– PHP
![Page 10: Connecting Web and Kerberos Single Sign On](https://reader031.fdocuments.net/reader031/viewer/2022021210/620648bc8c2f7b1730063de3/html5/thumbnails/10.jpg)
Akademska in raziskovalna mreža Slovenije
How SAML-AAI worksHow SAML-AAI works
3rd party trust point– Metadata distribution point (Web server URL)– X.509 public key cryptography
Web browser redirects– WAYF/DS – Where Are You From/Discovery Service
Auto-submit forms– IdP sends authorization data from LDAP to SP
Cookies for SSO session at IdP
![Page 11: Connecting Web and Kerberos Single Sign On](https://reader031.fdocuments.net/reader031/viewer/2022021210/620648bc8c2f7b1730063de3/html5/thumbnails/11.jpg)
Akademska in raziskovalna mreža Slovenije
SAML-AAI DiagramSAML-AAI Diagram
http://www.switch.ch/aai/demo
![Page 12: Connecting Web and Kerberos Single Sign On](https://reader031.fdocuments.net/reader031/viewer/2022021210/620648bc8c2f7b1730063de3/html5/thumbnails/12.jpg)
Akademska in raziskovalna mreža Slovenije
SAML-AAI demoSAML-AAI demo
Video demo!(screencast of user accessing Adobe Connect PRO and Foodle aplication,
web server with integrated Shibboleth 2.1 SP,
login via SimpleSAMLphp IdP)
![Page 13: Connecting Web and Kerberos Single Sign On](https://reader031.fdocuments.net/reader031/viewer/2022021210/620648bc8c2f7b1730063de3/html5/thumbnails/13.jpg)
Akademska in raziskovalna mreža Slovenije
SAML-AAI– Web applications– Internet-wide– X.509 PKI– SAML– Authorization data
Comparing SAML-AAI and KerberosComparing SAML-AAI and Kerberos
Kerberos– (Mostly) Non-web applications– Local/campus networks– (Mostly) symmetric keys– ASN.1– (Mostly) no authorization data
SAML-AAI and Kerberos are SAML-AAI and Kerberos are notnot competing protocols!competing protocols!
![Page 14: Connecting Web and Kerberos Single Sign On](https://reader031.fdocuments.net/reader031/viewer/2022021210/620648bc8c2f7b1730063de3/html5/thumbnails/14.jpg)
Akademska in raziskovalna mreža Slovenije
Interoperating SAML-AAI and KerberosInteroperating SAML-AAI and Kerberos
Hybrid web applications:– Web interface– Access to backend Kerberos protected services– Login via SAML-AAI + get Kerberos ticket
Problems:– Identity mapping
• Which Kerberos principal name to use?• Kerberos principal name: [email protected] • org.eu is Kerberos LAN/Campus realm • SAML identity
– EduPersonPrincipalName: [email protected] – EduPersonTargetedId: kl83HlsnblqYskgh72Kfqkl
– User provisioning (new user?!) – Getting service tickets from KDC for [email protected]
![Page 15: Connecting Web and Kerberos Single Sign On](https://reader031.fdocuments.net/reader031/viewer/2022021210/620648bc8c2f7b1730063de3/html5/thumbnails/15.jpg)
Akademska in raziskovalna mreža Slovenije
Hybrid SAML-AAI with Kerberos diagramHybrid SAML-AAI with Kerberos diagram
![Page 16: Connecting Web and Kerberos Single Sign On](https://reader031.fdocuments.net/reader031/viewer/2022021210/620648bc8c2f7b1730063de3/html5/thumbnails/16.jpg)
Akademska in raziskovalna mreža Slovenije
ARNES AAI teamARNES AAI team
http://aai.arnes.sihttp://www.eduroam.sie-mail: [email protected]
Questions?Questions?