TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

Slides:



Advertisements
Similar presentations
Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.
Advertisements

Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.
OhioNET EZProxy Service
Chapter 14 – Authentication Applications
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
MyProxy: A Multi-Purpose Grid Authentication Service
Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.
F. Guilleux, O. Salaün - CRU Middleware activities in French Higher Education.
Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Secure Socket Layer (SSL)
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Sympa Mailing List Server
PAPI Points of Access to Providers of Information.
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
Unit 1: Protection and Security for Grid Computing Part 2
Oracle Application Express Security. © 2009 Oracle Corporation Authentication Out-of-the-Box Pre-Configured Schemes LDAP Directory credentials Oracle.
TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,
Module 9: Fundamentals of Securing Network Communication.
10/25/20151 Single Sign-On Web Service Supervisors: Viktor Kulikov Alexander Sherman Liana Lipstov Pavel Bilenko.
Shibboleth: An Introduction
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
Secure Systems Research Group - FAU SW Development methodology using patterns and model checking 8/13/2009 Maha B Abbey PhD Candidate.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
January 9, 2002 Internet2 WebISO Project RL "Bob" Morgan, University of Washington.
Integrating and Troubleshooting Citrix Access Gateway.
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,
Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.
For integration with Aptify/Sitefinity
Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.
Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
X509 Web Authentication From the perspective of security or An Introduction to Certificates.
Fall 2009 Internet2 Member Meeting - 8, October Using Sympa as a VO manager Serge Aumont, David Verdin - CRU Fall 2009 Internet2 Member Meeting -
Alain Bethuyne Web Security Architect BNPParibas Fortis
Access Policy - Federation March 23, 2016
Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd
An authorization service for Virtual Organizations (VO)
Cryptography and Network Security
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
Radius, LDAP, Radius used in Authenticating Users
ESA Single Sign On (SSO) and Federated Identity Management
Goals Introduce the Windows Server 2003 family of operating systems
Presentation transcript:

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004

TNC2004 Rhodes 2 Yet another mailing list manager CRU (french higher education network technical team) Scalability (Kilo-Lists, Mega-Subscribers) Advanced features (subscriber preferred mail format, list document repository, …) Interfaces : mail robot, web and SOAP A full service web portal including administration at list and robot level Virtual hosting Internationalized (14 languages) Dynamic mailing list extracted from LDAP directories (or SQL servers)

TNC2004 Rhodes 3 Authentication methodInterface Sender confirmation challeng Password (allocation by )web LDAP authN backendweb SSO: CAS SSO: Shibboleth Web & SOAP Web User certificat S/MIME Web: HTTPS

TNC2004 Rhodes 4 Multiple authentication methods We want Sympa opened to any users and at the same time to interface with user’s home authentication services when available : Support multiple authentication service at the same time. Choose the appropriate authentication server depending on the user domain if possible

TNC2004 Rhodes 5 X509 user authentication Web : using mod_ssl environment variables inheritance. S/MIME signature : –Check if the sender and the signer are the same. –When mail subject is used for robot command, do not apply the s/mime authN method because headers are not part of the signature –use internally “openssl smime” command which does not check certificate status using CRL or OCSP Sympa also support S/MIME encryption message distribution (accept message encrypted using list certificate and encrypt message for each subscriber)

TNC2004 Rhodes 6 Central Authentication Service Yale university web Single Sign On Use cookie, redirections and a ticket that need to be validated against CAS server Support proxy credential : needed for Uportal Sympa’s channel. Not so easy to introduce into Sympa because CAS has not been designed to interoperate with any other authentication system.

TNC2004 Rhodes 7 CAS Client Sympa Redirection ticket=17429 Welcome u Who is he ? ticket=17429 ID=smith Search for ID=smith u LDAP redirection. Is that user authenticated ? Sympa interaction with one CAS server

TNC2004 Rhodes 8 CAS 1 CAS 2 Client Sympa non bloking redirection. Is that user authenticated ? no Non bloking redirection. Is that user authenticated ? yes ticket=17429 Welcome Who is he ? ticket=17429 ID=smith Interaction with multiple CAS servers

TNC2004 Rhodes 9 CAS 1 CAS 2 Client Sympa Welcome WAYF ? redirection. Is that user authenticated ? User : ? Password ? yes ticket=17429 Who is he ? ticket=17429 ID=smith Interaction with a chosen CAS server

TNC2004 Rhodes 10 What happens if one CAS server is out of order ? Any redirection is a dead end Choose by configuration for each CAS server if non blocking redirection is enabled Ping all CAS servers periodically to detect servers down (todo)

TNC2004 Rhodes 11 What about “CAS logout” ? Sympa stores the authentication method used in order to propose appropriate logout button Sympa erases its own session cookie and redirects the user to the CAS logout URL CAS has some insufficiencies about logout: there is no central logout service

TNC2004 Rhodes 12 link to use https basic password login with Sympa database backend or some ldap servers WAYF

TNC2004 Rhodes 13 X 509 Internal DB LDAP CAS Internal user attributes Shibboleth AuthZ scenario engine Authentication User attribute management Access control Authentication/Authorization

TNC2004 Rhodes 14 Managing access control in Sympa Separated from the authentication process (can also be applied to unauthenticated users) Configured for each list and each feature (subscribe, send, review,visibility…) Extensible behavior using authorization scenarios (distributed with a set of 100) Authorization is applied the same way on all 3 interfaces (mail, web, soap)

TNC2004 Rhodes 15 Authorization scenarios Sympa’s native ACL separated from the code A scenario is evaluated to provide (or not) access to a feature of Sympa –make the web interface highly adapted to the user’s profile (inaccessible features are not advertised) A scenario is made of ordered rules A rule is made of : –A condition –An authentication method –An action (decision) Condition can use LDAP user attributes

TNC2004 Rhodes 16 A sample authorization scenario for message distribution Expected behavior : –Private mailing list –Moderated for multipart messages –S/MIME (or HTTPS) authentication required for moderators is_editor([list->name],[sender]) md5,smime -> do_it ! is_subscriber([list->name],[sender]) smtp,md5,smime -> reject match([msg_header->Content-type],/multipart/) smtp,md5,smime -> editor true() smtp,md5,smime -> do_it Note that : Scenario evaluated line by line Scenario evaluation stops when a condition is matched md5 means : the sender’s address has been verified with an md5 challenge

TNC2004 Rhodes 17 Shibboleth architecture Developped by Internet2 Glue between local Single Sign-on servers to provide inter-institutional sharing of web ressources Shibboleth architecture made of 3 components : –Origin : installed in the user home organisation ; front- end to the local authN system and attributes database –Target : installed in front of a web ressource to control its access ; communicates with origin components –WAYF (Where Are You From) : the central component shared by a group of organization ; guides users to the origin component at their home org.

TNC2004 Rhodes 18 Shibboleth and Sympa Usage / Prerequisites Usage : –Building inter-institutional mailing lists with a strict definition of the targeted population Prerequisites for each institutions: –Local SSO + Shibboleth « target » package –Common definition of user attributes semantic (study branches, staff categories,…)

TNC2004 Rhodes 19 public area restricted area login Ressource Manager User attributes Attribute Authority Handle Service Origin WAYF SHARSHIRE Target identity attributes ShibbolethSympa

TNC2004 Rhodes 20 Access control based on Shibboleth user attributes Shibboleth user attributes : –Inherited via environment variables –Stored as session data in Sympa DB –Used in the authorization scenario engine Scenario sample rule: # check if the user is a geology or archeology student equal([user_attributes->SHIB_STUDY_BRANCH],’geology’) md5 -> do_it equal([user_attributes->SHIB_STUDY_BRANCH],’archeology’) md5 -> do_it

TNC2004 Rhodes 21 Conclusion Sympa users include French academic institutions + foreign universities. They are driving the developments. AA development plans: –SAML authentication on the SOAP interface –Building the « user attributes » layer in Sympa architecture –Validating/introducing Sympa with other Single Sign- On servers…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.