CUWebAuth and CUWebLogin 2.0 Identity Management Team Campus Developers Meeting June 4, 2008

K5 Migration Project Testing Discretionary migration window Buffer CUWA 2.0 Alpha CUWA 2.0 Beta K5 Permit Server CUWA 2.0 Production Release You Are Here Campus Rollout Complete K4 Shutdown? 2008 2009 Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun WebAuth2 is being developed as part of the Kerberos 5 migration project. We expect to shutoff Kerberos 4 by the end of the year Testing Discretionary migration window Buffer

https://confluence. cornell https://confluence.cornell.edu/display/CUWAL/Cornell%27s+CUWebLogin+Pages

https://confluence.cornell.edu/display/CUWAL/CUWebAuth+2.0 Documentation

What's New in 2.0 Kerberos 5 only Open-source GSSAPI Better Security Better Performance Simplified Administration Flexible Authorization Model New POST Data Handling Better Support

Changes for Kerberos 5 Keytabs not Srvtabs ServiceID Self-Service Application Create your own keytabs Create your own ServiceID Delegate authority No More SideCar No More Legacy CUSSP Library

Open System Documented Standards-based API's Full Source Code Available Localize Porting Customization

Custom Tools Credential Creation & Parsing PermitG / Grouper lookup There’s a separate C library for handling credentials. Credentials are used in cookies and query strings in the context of CUWA and CUWL. Format is well documented, so implementation in other languages is possible. There’s a separate C library for permit lookup. Grouper access is via LDAP which is supported in most languages.

GSSAPI IETF - RFC 2743 C Bindings Java Bindings Wide OS Acceptance The credentials are based on the Generic Security Standard. Combination of wire protocol and language bindings. Supported just about everywhere.

Better Security CUWebLogin - Kerberos Proxy No Credential Minting Better MITM Attack Prevention

Performance CUWebLogin 1.0 CUWebLogin 2.0 20 logins/sec per server Single Server CUWebLogin 2.0 200+ logins/sec per server Load Balanced 4 Servers

WebAuth Administration Fewer Directives 26 Directives Obsolete 5-6 New Ones Better Logging Fine Grained .htaccess VirtualHost Security Domain

Flexible Authorization (Active Content) New Directives, more than remote-user… Allow anonymous access List group permissions Pass cuwa-groups to application How long ago did user login? Inspect cuwa-auth-time Pass cuwa-delegated-cred to application Some new directives to allow active content to have more control of authorization.

POST Data No More “Click to Continue” POST Data Handled By WebAuth Request Data Stays at Website Can Handle Larger POSTs Same Support Apache / IIS POST data support has been revamped.

Better Support Apache and IIS – One Code Base 64-bit clean Thread safe No Name Collisions Shared Library Compatibility (Unix) Problem with Binary? Rebuilt It! Short List of Binaries RedHat, Solaris, Windows Apache 2.0, 2.2, IIS 6 Wiki Documentation In the end our efforts are geared toward improving our ability to support CUWebAuth.

Release Schedule Apache Go-Live: Now IIS Go-Live: one month-ish

Q&A Pete Bosanko pb10@cornell.edu Tom Parker jtp5@cornell.edu idmgmt@cornell.edu Duck and cover