Open-source Single Sign-On with CAS (Central Authentication Service) it does work! CAS Cette présentation est le fruit du groupe de travail qui traite du Single Sign-On et des autorisations au sein du projet ESUP-Portail (ce groupe associe des développeurs des universités de Nancy 1, Nancy 2, Rennes 1, Toulouse 3 et Valenciennes). Le single Sign-On, dont on a déjà largement parlé au cours de ces JRES (présentation des ENT + Olivier Salaun), a été une des premières préoccupations du projet ESUP-Portail. Il y a environ un an, le projet a évalué les solutions de Single Sign-On existantes dans le monde libre. L’objectif de cette présentation est de vous faire comprendre ce qu’est CAS (comment il marche). Si nous y réussissons, vous comprendrez alors certainement pourquoi CAS a été choisi comme le SSO du projet ESUP-Portail. Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004-2005 – ESUP-Portail consortium
Open-source Single Sign-On with CAS Why SSO? The main principles of web SSO The choice of CAS CAS (Central Authentication Service) How does it work? How to CAS-ify applications Web applications Non-web applications Limits The effort of the ESUP-Portail consortium around CAS Perspectives
Let’s fight generally accepted ideas! “Facing the growing number of passwords, Single Sign-On increases the security policy of firms and users’ comfort.” Well, yes, but…
Let’s fight generally accepted ideas! “SSO to federate authentication”
Let’s fight generally accepted ideas! “SSO is a suite of tools that memorizes passwords for users and provide them to applications” No, not at all!
Let’s fight generally accepted ideas! “SSO is generally deployed as a rest, after a centralized user directory and a unique entry point for the IS have been set up. SSO is then a modest project, easily developed in-house.” We must have missed something ;-)
Why Single Sign-On? Unique accounts but several authentications Each time users access an application Security (password stealing) Protect password transmission Do not transmit passwords to applications Simplify applications Delegate developments without delegating authentication Abstract authentication LDAP, NIS, database, NT, Active Directory, X509 certificates, …
SSO: the user’s point of view web browser app. #1 app. #2 app. #3 with SSO service service app. #1 app. #2 app. #3 web browser without SSO
SSO: principles on the web Authentication is centralized One (redundant) authentication server Transparent HTTP redirections From applications to the authentication server (when not authenticated) From the authentication server to applications (when authenticated) Tokens propagate identities Cookies, CGI parameters
CAS: why did we choose it? Security Password is never transmitted to applications Opaque tickets are used N-tier installations Without transmitting any password! Portability (client libraries) Java, Perl, JSP, ASP, PHP, PL/SQL, Apache and PAM modules Permanence Developed by Yale University World-wide used (mainly Universities) Adopted by all the French educational community J2EE platform Very light code (about 1000 lines) Open source Integrated into uPortal
CAS: why did we choose it? user database user database service web browser app. #1 app. #2 app. #3 with CAS service app. #1 app. #2 app. #3 authentication server netId password netId password web browser without SSO
CAS: why did we choose it? user database user database service service app. #1 app. #2 app. #3 app. #1 app. #2 app. #3 authentication server netId password netId password web browser web browser without SSO with CAS
User authentication CAS server HTTPS web browser
User authentication TGC: Ticket Granting Cookie user database CAS server TGC netId password HTTPS TGC: Ticket Granting Cookie User’s passport to the CAS server Private and protected cookie (the only one used by CAS, optional) Opaque re-playable ticket web browser TGC
Accessing an application after authentication ST: Service Ticket Browser’s passport to the CAS client (application) Opaque and non re-playable ticket Very limited validity (a few seconds) ID application CAS server ST ST TGC ST HTTPS web browser TGC
Accessing an application after authentication ST: Service Ticket Browser’s passport to the CAS client (application) Opaque and non re-playable ticket Very limited validity (a few seconds) ID application CAS server ST ST TGC ST HTTPS Redirections are transparent to users web browser TGC
Accessing an application without authentication CAS server Authentication form HTTPS web browser
Accessing an application without authentication ID application CAS server ST ST ST TGC netId password HTTPS No need to be previously authenticated to access an application web browser TGC
Remarks Once a TGC acquired, authentication is transparent for the access to any CAS-ified application of the workspace Once authenticated by an application, a session should be used between the browser and the application
Authenticating users with CAS CAS authentication left to administrators ESUP-Portail CAS Generic Handler Mixed authentication XML configuration LDAP directory database NIS domain X509 certificates Kerberos domain Windows NT domain flat files CAS server
Using the ESUP-Portail CAS GH <authentication debug="on"> <handler> <classname> org.esupportail.cas.server.handlers.ldap.FastBindLdapHandler </classname> <config> <filter>uid=%u,ou=people,dc=esup-portail,dc=org</filter> <server> <url>ldap://ldap.esup-portail.org</url> </server> </config> </handler> org.esupportail.cas.server.handlers.nis.NisHandler <domain>ESUP-PORTAIL</domain> <encryption>pammd5</encryption> <host>nismaster.esup-portail.org</host> <host>nisslave.esup-portail.org</host> </authentication>
CAS-ifying a web application Use provided libraries Add a few lines of code Note: you can also protect static resources With mod_cas, an Apache module
CAS-ifying a web application An example using phpCAS (ESUP-Portail) <?php // include phpCAS library include_once('CAS/CAS.php'); // declare our script as a CAS client phpCAS::client(CAS_VERSION_2_0,'auth.univ.fr',443,''); // redirect to the CAS server if needed phpCAS::authenticateIfNeeded(); // at this point, the user is authenticated ?> <h1>Successfull Authentication!</h1> <p>User's login: <?php echo phpCAS::getUser(); ?>.</p>
N-tier installations PGT: Proxy Granting Ticket service CAS server ID PGT ST PGT application (CAS proxy) ST PGT: Proxy Granting Ticket Application’s passport for a user to the CAS server Opaque and re-playable ticket web browser TGC
N-tier installations PT : Proxy Ticket PGT: Proxy Granting Ticket service ID PT PT PT : Proxy Ticket Application’s passport for a user to a tier service Opaque and non re-playable ticket Very limited validity CAS server PT PGT PGT application (CAS proxy) ST PGT: Proxy Granting Ticket Application’s passport for a user to the CAS server Opaque and re-playable ticket web browser TGC
CAS-ifying a non web application One of the strongest points of CAS Use the pam_cas PAM module Example of PAM configuration: auth sufficient /lib/security/pam_ldap.so auth sufficient /lib/security/pam_pwdb.so shadow nullok auth required /lib/security/pam_cas.so
The pam_cas PAM module Pam_cas authenticates users with a CAS ticket login/password login/ticket client application client application server application login/password pam_ldap login/password pam_pwdb LDAP directory pam_cas ticket /etc/passwd CAS server Pam_cas authenticates users with a CAS ticket
CAS-ifying an IMAP server Objectives Access an IMAP server from a web application that does not know the password of the user connected Let traditional mail clients authenticate “normally” (with a password) Do not modify the IMAP server The solution: pam_cas :-)
CAS-ifying an IMAP server web browser traditional mail client login / password ST login / PT CAS-ified webmail (CAS proxy) IMAP server login / password pam_ldap login / password pam_pwdb LDAP directory pam_cas PT /etc/passwd CAS server
CAS-ifying Cyrus IMAPd traditional mail client login / password login / PT CAS-ified webmail (CAS proxy) ST web browser Cyrus imapd sasl pam_ldap login / password pam_pwdb PT pam_cas LDAP directory /etc/passwd CAS server
CAS-ifying Cyrus IMAPd traditional mail client login / password login / PT CAS-ified webmail (CAS proxy) ST web browser Cyrus imapd Unix socket Cyrus IMAP daemon sasl_authd daemon Cache efficiency: 95% sasl sasl_authd cache pam_ldap login / password pam_pwdb PT pam_cas LDAP directory /etc/passwd CAS server
Limits CAS deals with authentication, not authorization No redundancy No native load-balancing (but low load) No fault-tolerance (but very good reliability) No Single Sign-Off A very poor documentation
The effort of the ESUP-Portail consortium Writing documentation Adding libraries (phpCAS, esup-mod_cas, esup-pam_cas) Adding features to the CAS server Authentication handlers (LDAP, NIS, files, databases, NT domains, …) Mixed authentication Authentication debug mode Rendering customization (appearance, internationalization) CAS quick start (Jakarta Tomcat + Yale CAS server + CAS GH) Supporting the French CAS community Through forums and mailing lists
Now, what to do first (requirements)? Data organization The Information System should be well-formed Small technical problems, big political issues Data storage A standard way to store users (an Excel sheet is no standard ;-) Competences Web technologies PKI (CRU) Voluntary policy Is security a real concern?
So, what next? Add new authentication modes Make establishments cooperate Propagate user attributes (namely or anonymously) Shibboleth, Liberty Alliance CAS is now a JASIG project Share your experience!
Note this! CRU is starting a circle of trust (federation project) among the French educational community Comité Réseau des Universités (http://www.cru.fr) Authenticate at university level Authorize at resource level by relying on propagated attributes Many questions, a few answers only at this time Compare Shibboleth and Liberty Alliance Test existing solutions Study if CAS can be used with Shibboleth, and how Can LASSO implement a WAYF service? Would LASSO replace CAS? A goal Show how it is possible for establishments to cooperate securely
Enjoy CAS!