ClearPass A CAS Extension Enabling Credential Replay Andrew Petro Unicon, Inc. Jasig 2010 San Diego, CA 09 March 2010 © Copyright Unicon, Inc., Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit sig.org/wiki/display/CASUM/ClearPass

2 Disclaimers Personal Opinions are my own Opinions herein are my own, and are not necessarily those of my employer, of Jasig, of the Jasig CAS steering committee, or of anyone else. CC-NC-SA Disclaims Warranty Creative Commons licenses have some fantastic language for disclaiming warranties. That's in part why speakers use them.

3 Agenda 1.What is ClearPass? 2.How does ClearPass work? 3.uPortal example 4.Outlook Web Access example 5.Continued adoption in new environments 6.Questions?

4 What is ClearPass?

5 ClearPass ● Free and Open Source Software ● Extending CAS to... – capture the end user's password at login – And selectively release this password to authorized applications ● Like, say, an enterprise portal

6 Whence? ● Developed by Unicon for Sacramento State University and released as Free and Open Source Software ● Updated by Scott Battaglia via effort funded through Unicon's Cooperative Support for CAS Cooperative Development program

7 Concretely, what? ● Extensions to Jasig CAS to capture and expose credentials ● Extensions to Jasig uPortal to consume the credentials ● extensions/clearpass/

8 Wait, wait. Timeout. 8

9 Say what? ● Did I say ClearPass is an extension for releasing the end user's password??? ● That sounds like a really bad idea.

10 Why would you want to release end user credentials? Healthy skepticism is warranted.

11 Passwords are such useful things ● Have you ever given anyone your password? – To anything? nd/2.0/

12 Two purposes ● End-user single sign on ● N-tier application-to-application-on-behalf-of- user authentication

13 Delete your login forms.

14 Apps do not touch passwords CAS

15 Greater than zero effort

16 Difficult to CASify

17 N-tier authentication ● User authenticates to Application 1 ● Application 1 authenticates to Application 2 on behalf of User ● How to accomplish this?

18 Options for N-Tier AuthN ● Principled Enterprise SSO regimes with Delegation ● Application-to-application authentication methods with assertion of user identity ● Direct use of end-user credentials

19 Passwords are such useful things

20 MailPortlet

21 After all, why is this hard?

22 Why ClearPass? ● End-user single sign on to difficult-to-CASify Web applications ● N-tier application-to-application-on-behalf-of- user authentication to difficult-to-CASify services

23 How does ClearPass work? But first, an aside

24 How does Proxy CAS work? An aside necessary to understand how ClearPass works

25 How CAS Works Web application CAS Web browser S C T ST NetID

26 CAS 2.0: Proxy CAS Web application CAS Web browser S C ST ST NetID PGTURL PGTIOU PGT https listener

27 CAS 2.0: Proxy CAS Web application CAS Web browser Back-end application SPGT PT S NetID PGTURL Data

28 Proxiable credentials illustrated IMP CAS ST IMAP server CAS PAM module PGT PT -Username -Identity of web resource

29 How does ClearPass work? Now that we've reviewed Proxy CAS, we can talk about this.

30 ClearPass CAS Extensions ● Capture the password at login ● Cache the password ● Release the password to authorized applications

31 Capture password at login ● In a perhaps too-clever way – AuthenticationMetaDataPopulator ● But minimally invasive

32 Declaring the Cacher

33 Declaring and injecting

34 Cache the password ● In an EhCache – So this cache can be shared across CAS server instances in a cluster – Can also be just in-memory

35 Expose the password ● Adds a controller

36 ClearPassController public ModelAndView handleRequestInternal(request, res) { final String userName = request.getRemoteUser(); if (userName != null) { final String password = this.credentialsCache.get(userName); return new ModelAndView(this.successView, MODEL_CLEARPASS, password); } return returnError("No authentication information provided."); }

37 Response from /clearpass endpoint actual_password

38 Response from /clearpass endpoint actual_password

39 Wait, the password's in the clear? ● Well, no, not really. ● Clearpass callback URL is – Accessed via HTTPS – Request authenticated via Proxy CAS Ticket

40 Response from /clearpass endpoint actual_password

41 clearPassSuccess.jsp ${fn:escapeXml(credentials)}

42 Wait, the password's in the clear? ● Well, no, not really. ● Clearpass callback URL is – Accessed via HTTPS – Request authenticated via Proxy CAS Ticket

43 Authenticating to ClearPass ● How do applications authenticate to CAS ClearPass to get the password? – Need to authenticate both the application and participation in a CAS single sign on session

44 Authenticated via PT! ● Use the Jasig CAS Client library itself to authenticate applications to the ClearPass CAS extension!

45 Uses Jasig Java CAS Client CAS Validation Filter /clearPass CAS HttpServletRequest Wrapper Filter /clearPass

46 Uses Jasig Java CAS Client org.jasig.cas.client.validation.Cas20ProxyReceivingTicke tValidationFilter serverName allowedProxyChains

47 CAS 2.0: Proxy CAS Web application CAS Web browser Back-end application SPGT PT S NetID PGTURL Data

48 CAS 2.0: Proxy CAS Web application CAS Web browser CAS ClearPass SPGT PT S NetID PGTURL Password

49 uPortal Example

Portal Password Replay Password- Protected Service Channel PW

Portal Password Replay Password- Protected Service Portlet PW

52 ClearPass uPortal module ● extensions/clearpass/tags/clearpass_1_0_0_ga/ clearpass-integration-uportal/ ● Plugin for uPortal's SecurityContext API ● Implements Password Caching API (supports password replay) ● Implements CAS API (supports CAS proxy tickets)

Portal Password Replay Alongside PTs Password- Protected Service CAS- Protected Service Portlet PW From ClearPass And PGT from CAS PW PT PW PT PW PT PGT

54 Portlets that (can) replay passwords

55 Portlets that can use passwords... ● preview ● Calendar preview ● Toro Gateway SSO portlet (for credential replay through login forms to achieve end-user SSO experience) ● Web Proxy Portlet ● Your portlet

56 Password as just an attribute ● A special, important attribute ● But just a standard JSR 168 user attribute ● Portlet doesn't care whether it came from ClearPass

57 SSO into Datatel WebAdvisor ● sig.org/wiki/display/CASC/CASifying+WebAdv isor sig.org/wiki/display/CASC/CASifying+WebAdv isor ● ClearPass ● uPortal ● Toro Gateway SSO portlet

58 (There's more to this story) ● (Apparently Datatel WebAdvisor has an optional add-on product enabling SSO?) ● (So that might be a better option?) ● (But probably incurs license fees and uses proprietary software?)

59 Outlook Web Access example

60 Free Software alternatives to OWA ● While ClearPass-infused heroics can be applied to CASify Outlook Web Access... ● You could instead use something under an Open Source license...

61 Bill Thompson (!) 's Solution ●

62 CasOwaAuthHandler.cs ● Handles an HTTP request ● Obtains a Proxy Ticket to CAS/clearpass ● Uses PT to obtain password from CAS/clearpass ● Uses password to internally POST to OWA login form, reading resulting session cookies ● Sends session cookies back to end user browser (works since running in OWA) ● Redirects browser to OWA

63 Liferay example

64 Bill Thompson(!) forum post ● ● liferay_jasig_cas_client_forum_discussion

65 Liferay 5 extensions ● ● Use Jasig Java CAS Client library ● Obtain PT ● Use PT to obtain Password from ClearPass ● Place password into session where Liferay expects it ● Portlets use it as normal

66 How ClearPass Fits

67 ClearPass ● Enables incremental adoption of Enterprise SSO ● Adopt CAS SSO ● Use ClearPass to enable legacy integrations ● Use CAS and CAS delegated authentication wherever you can ● Improvement: incrementally, less proliferation of passwords and use of passwords

68 ClearPass Future Subtitle (optional)

69 Encrypt the password at rest?

70 What about multiple passwords? ● Represent as different ClearPass callback URLs?

71 Questions & Answers & Discussion Andrew Petro Software Developer Unicon, Inc.

72 License and Copyleft © Copyright Unicon, Inc., Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit sa/3.0/us/ sa/3.0/us/ sa/3.0/us/

73 Acknowledgments ● Bill Thompson for his excellent work developing and documenting Liferay extensions to use Jasig Java CAS Client 3 and ClearPass and OWA extensions to rely upon ClearPass for SSO into OWA. ● (Roller derby timeout image; CC-NC 2.0)