Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006

Nov. 3, 20062http://myproxy.ncsa.uiuc.edu/sessions/ Idea Goal: enable “web” single sign-on (SSO) for non-web applications Restriction: utilize the available authentication protocols for all applications involved Requirement: minimize exposure of a user’s long-term authentication credentials (e.g. private password)

Nov. 3, 20063http://myproxy.ncsa.uiuc.edu/sessions/ Related SSO Solutions Kerberos –Issues cryptographic software tokens –Can integrate with Java via GSS-API –But, underlying application must be modified to understand the Kerberos protocol Session cookies –JSESSIONID allows JWS application to “inherit” the browser’s security context –But, security context only valid with the web server initially contacted Browser-based SSO –Examples: Microsoft’s Passport, Pubcookie, and Shibboleth –But, not useful in non-browser applications such as JWS

Nov. 3, 20064http://myproxy.ncsa.uiuc.edu/sessions/ Motivation Real-world development effort: MAEviz Three main components –Web portal / application server –Data server –Java Web Start visualization application Web portal and Data server use password-based authentication Portal and JWS application do not share a session context

Nov. 3, 20065http://myproxy.ncsa.uiuc.edu/sessions/ Scenario User connects to grid portal –Username/password authentication Portal connects to data server for listing –Also username/password authentication Web portal launches JWS application –JWS appl authenticates to data server Desire: user authenticates only once –The goal of Single Sign-On (SSO)

Nov. 3, 20066http://myproxy.ncsa.uiuc.edu/sessions/ Portal + Java Web Start (1) Login (2) Data Request (3) Data (4) JNLP (5) Data Request (6) Render Data

Nov. 3, 20067http://myproxy.ncsa.uiuc.edu/sessions/ MAE Center Portal

Nov. 3, 20068http://myproxy.ncsa.uiuc.edu/sessions/ MAEviz JWS Application

Nov. 3, 20069http://myproxy.ncsa.uiuc.edu/sessions/ Multiple Protocols Portal server is Sakai –Web browser front-end –Web services (Axis), JSP, Java back-end Data server is SAM –WebDAV server –Metadata Mgmt. and Notebook Services MAEviz application is JWS –Launched via JNLP file –Distinct from web browser session How to effect a shared security session?

Nov. 3, http://myproxy.ncsa.uiuc.edu/sessions/ Password Authentication Good news – all components understand username/password authentication Obvious solution – pass around the user’s name and password Bad news – don’t want to expose user’s long-lived password Solution – use short-lived “session passwords” instead

Nov. 3, http://myproxy.ncsa.uiuc.edu/sessions/ Session Passwords Associate multiple short-lived “session” passwords with a given username Can be used in lieu of a user’s long-lived password Expire after a few hours Use an external authentication service Allow for a “password based” SSO solution

Nov. 3, http://myproxy.ncsa.uiuc.edu/sessions/ Solution: MyProxy Originally used for X.509 credential storage and retrieval Can also be configured as a Certificate Authority (CA) to issue credentials Server configuration option allows for storage and retrieval of any number of session passwords for a user Multiple external authentication –PAM and SASL

Nov. 3, http://myproxy.ncsa.uiuc.edu/sessions/ Creating Session Password (1) Username & Password (2) Authn U/P (3) Credential (4) Generate P ’ (5) Put(Cred,U,P ’ ) (5) Cred

Nov. 3, http://myproxy.ncsa.uiuc.edu/sessions/ Using Session Password (1) Username & Session P ’ assword (2) Authn U/P ’ (3) Cred / Authn OK (2) Cred

Nov. 3, http://myproxy.ncsa.uiuc.edu/sessions/ MyProxy Configuration Checks all stored credentials –When authenticating a password, ALL credentials for a given username on the MyProxy server are checked for a match Falls back to external authentication –If no password match to stored credentials, MyProxy falls back to external authentication methods (e.g. PAM) Result: MyProxy authenticates a user’s original long-lived password AND any session passwords

Nov. 3, http://myproxy.ncsa.uiuc.edu/sessions/ (12) U/P ’ Authn (8) U/P ’ Authn (6) Cred (12) Cred / Authn OK (8) Cred / Authn OK (3) U/P Authn MyProxy Single Sign-On (1) U/P (2) U/P (9) Data (10) JNLP w/ U/P ’ (11) U/P ’ (13) Render Data (4) Cred (5) Generate P ’ (6) Put(Cred,U,P ’ ) (7) U/P ’ (8) U/P ’ Authn (12) U/P ’ Authn (12) Cred (8) Cred

Nov. 3, http://myproxy.ncsa.uiuc.edu/sessions/ Security Concerns JNLP File on multi-user systems –Downloaded to user’s local file system –Not deleted upon session exit –Might have permissive umask setting –Only solution is “user education” Session passwords have a finite lifetime –Client can also explicitly destroy a session password before it expires

Nov. 3, http://myproxy.ncsa.uiuc.edu/sessions/ Conclusion Enable SSO for legacy applications Client creates any number of “session passwords” for a username stored on a MyProxy server Session passwords are passed among clients/programs Clients need only understand username/password authentication

Nov. 3, http://myproxy.ncsa.uiuc.edu/sessions/ Acknowledgements National Center for Supercomputing Applications (NCSA) –Funded by the NSF (National Science Foundation) under Grant No.SCI Mid-America Earthquake (MAE) Center –Funded by the NSF (National Science Foundation) under Grant No.EEC Additional thanks to –Jim Myers and Kevin Price, at NCSA