UMBC’s WebAuth Robert Banz – UMBC

Slides:



Advertisements
Similar presentations
Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.
Advertisements

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
SAML Integration Doug Bayer Director, Windows Security Microsoft Corporation
By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.
Architecture & Integration: CP v x Platforms: Windows NT sp5(6a)/Solaris 2.8 iWS Client(s) Netscape/IE 4.0+ Java Servlet Engine (Java Servlet API)
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
WEB2P security Java web application security Dr Jim Briggs.
Servlets and a little bit of Web Services Russell Beale.
X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster
UPortal Authentication Options: Design and Application Shawn Bayern Research programmer, Yale University Author, Web Development with JavaServer Pages.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
CUWebAuth Technical Presentation Pete Bosanko Identity Management Team.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Authentication June 24/2003. Overview Terminology Local Passwords Early Password Services Kerberos Basics Tickets Ticket Acquisition Kerberos Authentication.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Smart Card Single Sign On with Access Gateway Enterprise Edition
Middleware Deployment Issues Jack Suess, CIO, UMBC
Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.
Session 11: Security with ASP.NET
The Central Authentication Service (CAS) Shawn Bayern Research programmer, Yale University Author, JSTL in Action, Web Development with JavaServer Pages.
Basics of Web Databases With the advent of Web database technology, Web pages are no longer static, but dynamic with connection to a back-end database.
USCGrid A (Very Quick) Introduction To PubCookie
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
National Center for Supercomputing Applications NCSA OPIE Presentation November 2000.
.Net and Web Services Security CS795. Web Services A web application Does not have a user interface (as a traditional web application); instead, it exposes.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Web Authentication at Iowa Ed Hill Software Developer The University of Iowa.
Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.
Kerberos. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open source or in supported commercial software.
Module 11: Securing a Microsoft ASP.NET Web Application.
Apache Web Server Quick and Dirty for AfNOG 2015 (Originally by Joel Jaeggli for AfNOG 2007) ‏
G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.
Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
ECMM6018 Enterprise Networking for Electronic Commerce Tutorial 7
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
Your friend, Bluestem. What is Bluestem? “Bluestem is a software system which enables one or more high-security SSL HTTP servers in a domain (entrusted.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Web2.0 Secure Development Practice Bruce Xia
February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.
Introduction and Principles Web Server Scripting.
(ITI310) By Eng. BASSEM ALSAID SESSIONS 10: Internet Information Services (IIS)
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd
Federation made simple
World Wide Web policy.
CAS and Web Single Sign-on at UConn
Warm Handshake with Websites, Servers and Web Servers:
Radius, LDAP, Radius used in Authenticating Users
Server Concepts Dr. Charles W. Kann.
Creating Novell Portal Services Gadgets: An Architectural Overview
Kerberos.
Introduction to Servlets
Central Authentication Service
HACKIN G CITRIX.
JAAS AuthN Tokens in uPortal and Beyond
Presentation transcript:

UMBC’s WebAuth Robert Banz – UMBC

A Few Terms Authentication Knowing that you are who you say you are. Authorization Knowing what you can/can’t do, usually gleaned from other information than your name… Often confused, as they are (usually) intertwined!

What is WebAuth? Created as a Web Single Sign On system during the Summer of 2000, to provide a common authentication interface to: –WebAdmin, UMBC’s directory-enabled directory and account management tools –WebCT (3.x) –Blackboard

What Is WebAuth? An Authentication Server, written in Perl, running under Apache. Client API code for –Perl, for use in CGI scripts and Apache mod_Perl modules –Java, for use in applications using the servlet api

Motivation Provide reasonably strong authentication and authorization data to web-based applications. Support a wide variety of web clients –Needs to work with a minimum of services a web browser can provide Not create a performance burden on servers and/or clients Wide variety customer applications and requirements Potentially extend the framework to provide inter-domain (cross-campus) services.

“Reasonably Strong” You can trust it. –Some kind of cryptographically signed “thingy” Shouldn’t do “bad things”… –Such as send your password, or other authenticator in the clear.

The Lowest Common Denominator Is passing CGI parameters… –But, this can be cumbersome, as an application programmer must re-send the data with every transaction –User would have to “re-authenticate” if they left your site and came back. The “next to lowest” common denominator, “Cookies” –Most, if not all, web browsers support them. –They are stateful, and stick with you. –…but, they’re not very secure (but we can fix that)

Don’t Burden Your Servers or Clients SSL is a CPU killer for your web servers –…so, it shouldn’t be required when the application content doesn’t dictate it –…need to minimize the cost if a cookie is sniffed.

The Kerberos Model User ‘authenticates’ themselves to a ‘trusted host’ (the KDC) and receives a ticket granting ticket The ticket granting ticket is later presented to the KDC for the issuing of service tickets for specific applications Service tickets can only be decrypted by the application they were created for.

The Kerberos Model Tickets also expire …So, service tickets have limited worth – a function of their expiration time, and cost of the information they are protecting…

Translating Kerberos to the Web When authentication is needed, the user is redirected to the WebAuth server If the user does not have a valid TGT: – They are asked to authenticate themselves –A TGT, and a service ticket (in the form of cookies) are issued for the requesting application –They are redirected back to the URL that needed authentication

Translating Kerberos to the Web If the user HAS a valid TGT: –The TGT is verified, and service ticket is issued with the same credentials contained in the TGT. –The user is redirected back to the URL that needed authentication –There was no user interaction in this exchange! So… –We can tune the expiration times of Service Tickets to lessen our exposure. –We can tune ‘up’ the expiration time of the Ticket Granting Ticket so a user does not have to ‘interact’ with the system during a typical session!

It’s not perfect… There are a few potential ways to ‘hack’ the system, as it exists now… …but there are ways we plan to fix them.

Integration WebCT –Relies on standard HTTP Basic Authentication (via mod_authdbm) –Runs under Apache –Created an Apache module, using mod_Perl Emulates part of mod_authdbm, with the exception of where it gets it’s authentication Has also come in quite handy for adding common authentication quickly to other web services! –The WebCT user database is updated nightly from our LDAP directory.

Integration Blackboard Running under Windows NT/ IIS Uses JSP (Java) Wrote a Java-based WebAuth client class Blackboard integrated it into their login process The Blackboard user database is updated nightly from our LDAP directory.

Integration MyUMBC MyUMBC is our web portal, rolled out in august ‘99 Uses it’s own authentication scheme, authenticating users against the Kerberos server directly Augmented the MyUMBC login process to retrieve a ticket granting ticket for the user, allowing for a seamless transition between the web portal and linked applications. Future portal development to make use of WebAuth directly.

The Client API Easy to use! –In Perl, only a couple lines will check someone’s authentication, or force them to get some. –Java is just as simple –Or, use the Apache module

Future Directions Additional “authorization” encoded in the service ticket by request Anonymous authorization-only for library-like services Additional authentication levels / roles Cross-domain authentication/authorization

More Information –We plan to release the source, and will make it available here! –Internet2’s Web Access Control project

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.