Custom Authentication Services Jim McCusker (Yale University) Arch/VCDE F2F October 29, 2008.

Slides:

Advertisements

Similar presentations

RSDB Installation & Configuration

Advertisements

MyProxy Jim Basney Senior Research Scientist NCSA

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.

Central Authentication Service Roadmap JA-SIG Winter 2004.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.

MyProxy: A Multi-Purpose Grid Authentication Service

Access Control Chapter 3 Part 3 Pages 209 to 227.

® IBM Software Group © 2006 IBM Corporation Securing Your Application With WebSphere Security You will need to develop Login procedures for your web applications.

Two Factor Authentication (TFA) is a 100% Open Source, free to use security system for your Joomla site’s backend. Two Factor Authentication works in.

PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

SELinux (Security Enhanced Linux) By: Corey McClurg.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.

Teamcenter™ Security Services SSO

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

Enterprise Single Sign On Identity management for web applications.

TWSd Configuring Tivoli Workload Scheduler Security 1of3

Project Implementation for COSC 5050 Distributed Database Applications Lab1.

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Working with Workgroups and Domains

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

HOW-TO guide This tutorial has sound.

Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.

Developing Applications for SSO Justen Stepka Authentisoft, LLC

Current State Of NetID By Jonathan Higgins Presentation Template available from Microsoft A low cost Identity Management Implementation Guide.

Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.

Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:

Module 7 Active Directory and Account Management.

Shibboleth 2.0 IdP Training: Authentication January, 2009.

CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.

LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.

Password? CLASP Project FOCUS Meeting, 12 October 2000 Denise Heagerty, IT/IS.

Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.

Securing Sensitive Information Data Security Dashboards often contain the most important data in the company Securing that information makes business.

Copyright  2002 Urbancode Software Development, Inc. All Rights Reserved. Developing with JAAS Presented by Maciej Zawadzki

Campus Experience: Pubcookie University of Alabama at Birmingham Academic Computing Zach Garner.

Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.

The Diagnostic Pathfinder System Introduction Getting Started.

February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.

Enabling Grids for E-sciencE Software installation and setup Viet Tran Institute of Informatics Slovakia.

Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers

24 October 2007 Fernando Lucas Rodriguez Adaptation of HyperNews for the NICE (SSO) authentication.

Old Dominion University1 eXtensible Access Control Markup Language [OASIS Standard] Kailash Bhoopalam Java and XML.

Module 6: Configuring User Environments Using Group Policies.

15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.

8 Copyright © 2004, Oracle. All rights reserved. Making the Model Secure.

5/7/2007CoreMcClug/SELinux 1 By: Corey McClurg. Outline A History of SELinux What is SELinux and how do I get it? Getting Started Mandatory Access Control.

LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.

LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►

Enterprise Java v040918JBoss Security Setup1 Setting up Security in JBoss References: “Getting Started with JBoss, J2EE applications on the JBoss 3.2.x.

There are 5 pull-down menus. Provide your affiliation : select E-1000 in the 1 st pull-down which asks for your experiment – it is there. Provide your.

There are 5 pull-down menus. Provide your affiliation : select E-1000 in the 1 st pull-down which asks for your experiment – it is there. Provide your.

VA Primavera P6: Accessing the Program Department of Veterans Affairs Office of Information and Technology IT Workforce Development (ITWD) in collaboration.

Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.

Installing and Configuring Moodle. Download Download latest Windows Install package from Moodle.orgMoodle.org.

Daniel Doubrovkine (dblock[at]dblock[dot]org) Single Sign-On w/ Tomcat & WAFFLE 6/8/2010 Tomcat -> Waffle ->

The Umbrella Project Authentication The minimum user information possible is stored centrally to avoid Data Protection issues. The Authentication is done.

The Integration of Network Service Authentication Design and Implementation for Secondary and Elementary School 報告人 : 洪志明洪志明‧楊中皇洪志明‧楊中皇洪志明‧楊.

LDAP Overview Kevin Moseley Server Team Manager Walgreen Co.

Samba4. What is Samba4? ● A replacement for Active Directory ● The centre of a windows domain: – Windows domain logon server – Windows-compatible LDAP.

Ask the Experts – Building Login-Based Sites in AEM

Authenticate local Linux accounts against Windows Active Directory

Implementation and configuration of LDAP

ESA Single Sign On (SSO) and Federated Identity Management

Central Authentication Service

Getting Started With LastPass Enterprise

Presentation transcript:

Custom Authentication Services Jim McCusker (Yale University) Arch/VCDE F2F October 29, 2008

Agenda Context (Single Sign On at Yale) JAAS and CSM A new LDAPLoginModule HOWTO Future Directions

Context (Single Sign On at Yale) Yale uses CAS (Central Authentication Service). CAS uses Kerberos. Kerberos doesn’t have names or addresses (which AuthenticationService needs). Yale has an LDAP phone book with usernames, names, and addresses. We have the technology. We have the information.

JAAS and CSM CSM (Common Security Module) uses JAAS (Java Authentication and Authorization Service) JAAS supports both LDAP and Kerberos for authentication. Shouldn’t this just work?

JAAS and CSM (cont.) No, there are some serious obstacles: CSM uses it’s own Login Module implementation for LDAP. The Login Module will fail if it can’t get username and password information from the LDAP server. The Kerberos Login Module only provides username information and authenticity, and doesn’t know about the custom CSM attributes of LN, FN, .

A New LDAPLoginModule Code Change! Modified LDAPLoginModule (actually LDAPHelper) to allow configuration to just provide user information. This leaves the authentication task to Kerberos or PAM or something else. Deployed successfully and was able to authenticate using the service. Download the software at

HOWTO (On Linux, at least) Set up a vanilla AuthenticationService using LDAP Download distribution ziphttp://krauthammerlab.med.yale.edu/wp-content/files/csmjaas- 1.0.zip Add csmjaas-1.0.jar to [tomcat-dir]/webapps/wsrf/WEB- INF/lib (cont.)

HOWTO (On Linux, at least) (cont.) Install the kerberos libraries and (on Linux) make /etc/krb5.conf look like: [libdefaults] default_realm = NET.YALE.EDU NET.YALE.EDU = { kdc = kserv2.net.yale.edu admin_server = kserv1.net.yale.edu } (cont.)

HOWTO (On Linux, at least) (cont.) Make ~/.java.login.config look like csmjaas- 1.0/java.login.config: AUTHNSVC{ com.sun.security.auth.module.Krb5LoginModule required; edu.yale.med.krauthammerlab.csm.LDAPLoginModule required ldapHost="ldap://directory.yale.edu:389" ldapInfoOnly="true" ldapSearchableBase="o=yale.edu" ldapUserIdLabel="uid" USER_FIRST_NAME="givenName" USER_LAST_NAME="sn" USER_ _ID="mail"; }; (cont.)

HOWTO (On Linux, at least) (cont.) Ask Steve Langella really nicely to add you to the training grid.

Future Directions Integrate the patch back into CSM. Enable Kerberos extension in installer. Use patch as an example on how to create a custom AuthenticationService LoginModule.