uPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University
Portal authentication Portals need to authenticate users Portals need to authenticate users –To provide customized content –To restrict portal-accessible resources Portals also need access to third-party resources “as the user” Portals also need access to third-party resources “as the user” –“n-tier” authentication –Single sign-on
Aggregating content → Aggregating authentication Before After
What we will cover 1. How does uPortal authenticate users in the first place? 2. What is the N-tier authentication problem? 3. How does the Yale’s model, called CAS, (Central Authentication Service) solve the problem?
uPortal’s pluggable security- context mechanism Authentication support in uPortal manifested through ISecurityContext: –Key functions: Accept IPrincipal Accept IOpaqueCredentials Authenticate user Return true/false (and optionally more)
uPortal’s authentication infrastructure: advantages Flexibility –Adapts to nearly any back-end campus authentication solution – e.g., Kerberos (4, 5) LDAP “authentication” Unix password file (small-scale) Server-based authentication (“trust”) –Supports “chaining” providers to establish more than one context.
ChainingSecurityContext Allows for a chain or a tree of providers to be called Allows for a chain or a tree of providers to be called Originally envisioned as acquiring multiple credentials at sign in Originally envisioned as acquiring multiple credentials at sign in For Example: For Example: –A database connection or an LDAP initial context or Kerberos TGT Has not turned out to be the enabling component for single sign on Has not turned out to be the enabling component for single sign on
UnionSecurityContext Can sit at the top of the tree of chaining providers and present isAuthenticated status and credentials of first provider in the chain to succeed Can sit at the top of the tree of chaining providers and present isAuthenticated status and credentials of first provider in the chain to succeed Portal property determines whether to continue Portal property determines whether to continue Simple Provider (password) CAS Provider Union Provider
N-tier authentication Portal Channel
uPortal’s authentication infrastructure: disadvantages Limitations Limitations –Provides unified authentication “gate,” but no extra portal-specific functionality. No single sign-on. –Just a model—does little work itself. –But… can be wrenched to cache passwords: NotSoOpaqueCredentials String getCredentials(); (Not particularly secure) IOpaqueCredentials
Caching Security Provider A way to replay passwords by giving channels access to them A way to replay passwords by giving channels access to them Not the best idea Not the best idea –May expose password to insecure use by channels –Participating applications have less security than before –If the portal is compromised users’ primary credentials are compromised
Password caching Portal Channel Password- protected service Password- protected service Password- protected service PW PW PW PW PW PW PW PW PW PW PW
Given the drawbacks of caching and re-using passwords, what’s a better approach? Given the drawbacks of caching and re-using passwords, what’s a better approach? How can a web based Single Sign on System really work? How can a web based Single Sign on System really work?
Web-based single sign-on Why is this problem different from existing single sign-on systems? Why is this problem different from existing single sign-on systems? –Limited client support Yale’s model is called CAS (Central Authentication Service). Model based (loosely) on Kerberos. Yale’s model is called CAS (Central Authentication Service). Model based (loosely) on Kerberos. –“100% Pure Java” –Pluggable back-end –Available through JA-SIG Clearinghouse –Thank you to Shawn Bayern Other models: Liberty, Pubcookie (Washington), MACE WebISO, Passport Other models: Liberty, Pubcookie (Washington), MACE WebISO, Passport
CAS in a nutshell Browser Web application Authenticates without sending password Authenticates via password (once) Determines validity of user’s claimed authentication
Primary benefits of CAS Works with existing authentication infrastructures, such as Kerberos Works with existing authentication infrastructures, such as Kerberos Can be used by nearly any Web-application development environment (JSP, Servlets, ASP, Perl, mod_perl, PHP, Python, PL/SQL, and so forth) — or as a server-wide Apache module Can be used by nearly any Web-application development environment (JSP, Servlets, ASP, Perl, mod_perl, PHP, Python, PL/SQL, and so forth) — or as a server-wide Apache module Allows "proxy" authentication for Web portals Allows "proxy" authentication for Web portals Lets users authenticate securely to untrusted sites (e.g., student-run sites and third-party vendors) without supplying a password directly Lets users authenticate securely to untrusted sites (e.g., student-run sites and third-party vendors) without supplying a password directly Is portable (written in Java: Servlets, JSP, and JSTL) Is portable (written in Java: Servlets, JSP, and JSTL) Is freely available from Yale (with source code) Is freely available from Yale (with source code)
How CAS actually works Web resource CAS Web browser S C ST ST
Back to the N-tier problem uPortal can authenticate users securely with CAS. uPortal can authenticate users securely with CAS. But it does not have first-hand knowledge of users’ credentials. But it does not have first-hand knowledge of users’ credentials. This is a good thing... This is a good thing... –Except that uPortal can’t impersonate the user in order to acquire secure data for the user.
CAS’s solution: proxiable credentials 1. During validation of ST, an application acquires a proxy-granting ticket (PGT) from CAS 2. When the application needs access to a resource, it uses the PGT to get a proxy ticket (PT) 3. The application sends the PT to a back-end application. 4. The back-end application confirms the PT with CAS, and also gains information about who proxied the authentication.
Proxiable credentials illustrated IMP CAS ST IMAP server CAS PAM module PGT PT - -Username - -Identity of web resource
CAS Security Provider Uses CAS for primary authentication Uses CAS for primary authentication Use CAS ProxyTicketReceptor servlet to receive PGT to be redeemed later Use CAS ProxyTicketReceptor servlet to receive PGT to be redeemed later Exposes public method to channels to get a Proxy Service Ticket for a particular service Exposes public method to channels to get a Proxy Service Ticket for a particular service Back end system must be configured to validate and accept proxy credentials from uPortal Back end system must be configured to validate and accept proxy credentials from uPortal
uPortal with CAS Provider CAS ST Channel resource PGT IOU PGT PT - -Username - -Identity of proxy (portal) CAS Security Context Channel getProxyTicket(pgtIou,service) CAS Ticket Receptor Servlet getCasServiceToken PGT PT
Characteristics of CAS’s solution Back-end applications maintain control over their data Back-end applications maintain control over their data –For instance, IMAP server may assert, “The only web- based application I trust is –Default: no proxies allowed! User logout or timeout destroys subordinate credentials User logout or timeout destroys subordinate credentials –User must be “present” for proxied authentication to occur.
uPortal at Yale A very brief demo demo
CAS at Yale Used by systems in support of students and administrators Used by systems in support of students and administrators –Used occasionally by unprivileged students Mostly Java and Perl; some ASP, PHP Mostly Java and Perl; some ASP, PHP Apache module used widely Apache module used widely Proxy authentication: incipient deployment Proxy authentication: incipient deployment –PAM module to be used with servers –uPortal deployment using proxy to LMS and
Finally Some words from others about experience with CAS in uPortal Some words from others about experience with CAS in uPortal Questions? Questions? URL for CAS distribution and uPortal provider: URL for CAS distribution and uPortal provider: