Web Authentication at Iowa Ed Hill Software Developer The University of Iowa.

Slides:



Advertisements
Similar presentations
MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
Advertisements

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.
Using the Self Service BMC Helpdesk
Central Authentication Service (CAS). What is CAS? JA-SIG Central Authentication Service is an enterprise level, open-source, single sign on solution.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
An Authorization Service using.NET Passport ™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002 Technion – Israel Institute.
Week 2 IBS 685. Static Page Architecture The user requests the page by typing a URL in a browser The Browser requests the page from the Web Server The.
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
Introduction To Windows NT ® Server And Internet Information Server.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Identity and Access Management
Troubleshooting Federation, AD FS 2.0, and More…
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Smart Card Single Sign On with Access Gateway Enterprise Edition
1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.
Session 11: Security with ASP.NET
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Web Server Administration Chapter 7 Installing and Testing a Programming Environment.
Philadelphia Area SharePoint User Group Building Customer/Partner Extranets Designing a Secure Extranet with Sharepoint 2007 Russ Basiura RJB Technical.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
Identity on Force.com & Benefits of SSO Nick Simha.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
FSUID & AD Integration Partnering with the College of Human Sciences Jeff Bauer, AIS
10/25/20151 Single Sign-On Web Service Supervisors: Viktor Kulikov Alexander Sherman Liana Lipstov Pavel Bilenko.
Module 11: Securing a Microsoft ASP.NET Web Application.
Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.
Integrating and Troubleshooting Citrix Access Gateway.
UMBC’s WebAuth Robert Banz – UMBC
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
ECMM6018 Enterprise Networking for Electronic Commerce Tutorial 7
Your friend, Bluestem. What is Bluestem? “Bluestem is a software system which enables one or more high-security SSL HTTP servers in a domain (entrusted.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.
1 State and Session Management HTTP is a stateless protocol – it has no memory of prior connections and cannot distinguish one request from another. The.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
ASSIGNMENT 2 Salim Malakouti. Ticketing Website  User submits tickets  Admins answer tickets or take appropriate actions.
Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.
Internet2 Base CAMP Topics in Middleware: Authentication.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Introducing the Central Authentication Service (CAS) Shawn Bayern Research programmer, ITS Technology & Planning Author, Web Development with JavaServer.
LOGIN FORMS.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
CAS Proxying and Web Services The somewhat “easy way” Presented By: Joseph Mitola Programmer/Analyst Office Of The Registrar.
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
ArcGIS for Server Security: Advanced
Secure Single Sign-On Across Security Domains
Using Your Own Authentication System with ArcGIS Online
Setting and Upload Products
Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd
Federation made simple
CAS and Web Single Sign-on at UConn
Radius, LDAP, Radius used in Authenticating Users
What is Cookie? Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve.
Matthew Levy Azure AD B2B vs B2C Matthew Levy
Central Authentication Service
Getting Started With LastPass Enterprise
Presentation transcript:

Web Authentication at Iowa Ed Hill Software Developer The University of Iowa

Web authenticationWeb Camp - June 7th, Who Am I Ed Hill Software Developer at The University of Iowa Manager of the WDS Group in AIS Projects: ISIS, Admissions, Osiris, Budget, Hawk IRB, Various Elections, etc… Background: Java, Unix

Web authenticationWeb Camp - June 7th, Agenda Authentication 101 Hawk IDs Active Directory Security Policies UI Login Tools (passport) What Why How Q&A and Feedback

Web authenticationWeb Camp - June 7th, Authentication 101 Authentication – the mechanism that verifies that an individual is who they claim to be. Typically done based on something known (password) Authorization – the mechanism to determine whether or not to allow access to a particular resource or service

Web authenticationWeb Camp - June 7th, Hawk IDs A standard login ID used to access many different services around campus Before Hawk ID, My login was edhill, ehill, ed_hill, hille, 48006NNNN, etc… User friendly, readable, public

Web authenticationWeb Camp - June 7th, Hawk IDs - Gotchas Hawk IDs are not immutable Hawk IDs are not unique over time Hawk IDs are not 8 characters long, they are 30 characters long Thought about your “special” accounts? What if someone has a hawkid of “root”, “admin”, etc… Don’t use Hawk IDs as primary keys in your application (University ID is a better choice)

Web authenticationWeb Camp - June 7th, Active Directory (AD) Active Directory (AD) is a directory that supports Windows services and it the directory where the Hawk ID passwords are kept Before AD and Hawk ID – chaos/anarchy Post Hawk ID, Before AD – one login id, different passwords for each system Post Hawk ID / AD – one login id, one password

Web authenticationWeb Camp - June 7th, Active Directory (AD) - Gotchas Accessible via LDAP or Kerberos Login failure messages don’t reveal much Synchronization among DCs Multiple GCs, DCs, realms, ohh my… Which domain “owns” a hawkid The UPN IOWA\edhill vs edhill

Web authenticationWeb Camp - June 7th, Directories When someone says “The Directory”, they can mean one of the following Active Directory (AD) – Authentication, Windows services Enterprise Directory Service (EDS) – protected LDAP directory that contains business data about people White Page / Phonebook – LDAP directory that contains public/published information about people

Web authenticationWeb Camp - June 7th, Security Policies If you remember just one thing from this presentation…

Web authenticationWeb Camp - June 7th, Security Policies If you remember just one thing from this presentation… I had nothing to do with the password expiration policy

Web authenticationWeb Camp - June 7th, Security Policies Strong passwords are enforced (min 6 characters, 2 alpha, 2 numbers, no parts of your name/hawkid) Passwords should not be stored or sent via clear-text Passwords expire after 180 days, can’t reset to a previous password Proof of identity rules before administrator can reset a person’s password

Web authenticationWeb Camp - June 7th, UI Login Tools - What UI Login Tools (formerly called UI passport) provides an authentication service to web applications that sits on top of Active Directory and the UI security policies while insulating the web developer from the details Uses Web based protocols: browser redirects, HTTP requests Works with any web development technology: Java, PHP, ASP, Cold Fusion, Perl CGI, etc…

Web authenticationWeb Camp - June 7th, UI Login Tools - Features Provides a login page via SSL Validates a user’s Hawk ID / password, communicates any errors to the user Tells your application the Hawk ID of the person that just logged in Possibly provides your application with EDS information about the person Possibly provides Single Sign On (SSO) capabilities to your application

Web authenticationWeb Camp - June 7th, UI Login Tools - Features Provides an administrative password reset and other utility tools Can provide a custom login page with your own look and feel Provides a complete audit trail of logins, password changes, etc…

Web authenticationWeb Camp - June 7th, UI Login Tools - Applications ISIS, Prof Asst, HR Portal, Mars, Osiris, PCard, PReqs, Skillsoft, Infobank, etc…

Web authenticationWeb Camp - June 7th, UI Login Tools - Why 15 mid-large applications requiring logins Inter-application trust (ISIS and HR portal) No two departments use the same web development technology Microsoft passport – marketing baggage, doesn’t scale down Sun’s passport killer – Liberty something… Yale’s Central Authentication Service (CAS)

Web authenticationWeb Camp - June 7th, UI Login Tools – How Key Concepts – 3 actors The user/browser Your web application The login tools application Browser redirects Authentication ticket Cashing in the authentication ticket HTTP request from your app to the login tools

Web authenticationWeb Camp - June 7th, UI Login Tools – The Picture Prepare to be stunned by my incredible artistic skills

Web authenticationWeb Camp - June 7th, UI Login Tools – The Picture Login ToolsYour Site AD Bob

Web authenticationWeb Camp - June 7th, UI Login Tools – The Picture Login ToolsYour Site AD Bob Step 1: Bob comes to your site for the first time to start a session 1

Web authenticationWeb Camp - June 7th, UI Login Tools – The Picture Login ToolsYour Site AD Bob Step 2: You detect the person doesn’t have a session established and you redirect them to the login tools login page, passing along your service URL 2 1

Web authenticationWeb Camp - June 7th, UI Login Tools – The Picture Login ToolsYour Site AD Bob Step 3: The user’s browser takes the redirect request from your site and sends them to the login tools web server 3 2 1

Web authenticationWeb Camp - June 7th, UI Login Tools – The Picture Login ToolsYour Site AD Bob Step 4: The login page is returned to Bob’s browser (either the generic one, or your custom login page)

Web authenticationWeb Camp - June 7th, UI Login Tools – The Picture Login ToolsYour Site AD Bob Step 5: Bob type in his correct Hawk ID and Hawk ID password in the fields on the login page and presses the Sign In button

Web authenticationWeb Camp - June 7th, UI Login Tools – The Picture Login ToolsYour Site AD Bob Step 6: Bob’s password is verified via AD, a redirect is sent back to Bob to the service url provided along with a uip_ticket param uip_ticket

Web authenticationWeb Camp - June 7th, UI Login Tools – The Picture Login ToolsYour Site AD Bob Step 7: Bob’s browser takes the redirect and sends the uip_ticket back to your web site to the service url you provided uip_ticket 7

Web authenticationWeb Camp - June 7th, UI Login Tools – The Picture Login ToolsYour Site AD Bob Step 8: Your site takes the uip_ticket and connects to the Login Tools to cash it in to find out who the ticket belongs to

Web authenticationWeb Camp - June 7th, UI Login Tools – The Picture Login ToolsYour Site AD Bob Step 9: The login tools take the ticket you Provide and return you a simple text web Page that contains Bob’s Hawk ID hawkid=bob

Web authenticationWeb Camp - June 7th, UI Login Tools – The Picture Login ToolsYour Site AD Bob Step 10: Your site creates a session for Bob and sends back your home page along with any persistence cookies you need Bob’s session Bob’s session cookie

Web authenticationWeb Camp - June 7th, UI Login Tools – The Picture Your Site Bob Step 10+N: Any further requests are just Processed from your site, checking Bob’s Session information. No further interaction With the login tools are needed Bob’s session

Web authenticationWeb Camp - June 7th, UI Login Tools You can leave now and plug into the login tools without any involvement from me To create a custom login page, You will need to send me your service url and point me at a login page template

Web authenticationWeb Camp - June 7th, Next Steps Improve Create some documentation Figure out SSO better (how best to handle and communicate logouts) Better service provider management tools – make it so you can more easily update your own login pages, service URLs, etc… SAML interface, other XML standards. Your suggestions?

Web authenticationWeb Camp - June 7th, Questions? address: