Presentation is loading. Please wait.

Presentation is loading. Please wait.

ClearPass A CAS Extension Enabling Credential Replay Andrew Petro Unicon, Inc. Jasig 2010 San Diego, CA 09 March 2010 © Copyright Unicon, Inc., 2008-2010.

Published byHeather Gallagher Modified over 8 years ago

Similar presentations

Presentation on theme: "ClearPass A CAS Extension Enabling Credential Replay Andrew Petro Unicon, Inc. Jasig 2010 San Diego, CA 09 March 2010 © Copyright Unicon, Inc., 2008-2010."— Presentation transcript:

1 ClearPass A CAS Extension Enabling Credential Replay Andrew Petro Unicon, Inc. Jasig 2010 San Diego, CA 09 March 2010 © Copyright Unicon, Inc., 2008-2010. Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/http://creativecommons.org/licenses/by-nc-sa/3.0/us/ http://www.ja- sig.org/wiki/display/CASUM/ClearPass

2 2 Disclaimers Personal Opinions are my own Opinions herein are my own, and are not necessarily those of my employer, of Jasig, of the Jasig CAS steering committee, or of anyone else. CC-NC-SA Disclaims Warranty Creative Commons licenses have some fantastic language for disclaiming warranties. That's in part why speakers use them.

3 3 Agenda 1.What is ClearPass? 2.How does ClearPass work? 3.uPortal example 4.Outlook Web Access example 5.Continued adoption in new environments 6.Questions?

4 4 What is ClearPass?

5 5 ClearPass ● Free and Open Source Software ● Extending CAS to... – capture the end user's password at login – And selectively release this password to authorized applications ● Like, say, an enterprise portal

6 6 Whence? ● Developed by Unicon for Sacramento State University and released as Free and Open Source Software ● Updated by Scott Battaglia via effort funded through Unicon's Cooperative Support for CAS Cooperative Development program

7 7 Concretely, what? ● Extensions to Jasig CAS to capture and expose credentials ● Extensions to Jasig uPortal to consume the credentials ● https://www.ja-sig.org/svn/cas- extensions/clearpass/

8 8 Wait, wait. Timeout. http://www.flickr.com/photos/rollerfan/305224110 8

9 9 Say what? ● Did I say ClearPass is an extension for releasing the end user's password??? ● That sounds like a really bad idea.

10 10 Why would you want to release end user credentials? Healthy skepticism is warranted.

11 11 Passwords are such useful things ● Have you ever given anyone your password? – To anything? http://www.flickr.com/photos/bulldogsrule/51291634 7 http://creativecommons.org/licenses/by-nc- nd/2.0/

12 12 Two purposes ● End-user single sign on ● N-tier application-to-application-on-behalf-of- user authentication

13 13 Delete your login forms.

14 14 Apps do not touch passwords CAS

15 15 Greater than zero effort

16 16 Difficult to CASify

17 17 N-tier authentication ● User authenticates to Application 1 ● Application 1 authenticates to Application 2 on behalf of User ● How to accomplish this?

18 18 Options for N-Tier AuthN ● Principled Enterprise SSO regimes with Delegation ● Application-to-application authentication methods with assertion of user identity ● Direct use of end-user credentials

19 19 Passwords are such useful things

20 20 MailPortlet

21 21 After all, why is this hard?

22 22 Why ClearPass? ● End-user single sign on to difficult-to-CASify Web applications ● N-tier application-to-application-on-behalf-of- user authentication to difficult-to-CASify services

23 23 How does ClearPass work? But first, an aside

24 24 How does Proxy CAS work? An aside necessary to understand how ClearPass works

25 25 How CAS Works Web application CAS Web browser S C T ST NetID

26 26 CAS 2.0: Proxy CAS Web application CAS Web browser S C ST ST NetID PGTURL PGTIOU PGT https listener

27 27 CAS 2.0: Proxy CAS Web application CAS Web browser Back-end application SPGT PT S NetID PGTURL Data

28 28 Proxiable credentials illustrated IMP CAS ST IMAP server CAS PAM module PGT PT -Username -Identity of web resource

29 29 How does ClearPass work? Now that we've reviewed Proxy CAS, we can talk about this.

30 30 ClearPass CAS Extensions ● Capture the password at login ● Cache the password ● Release the password to authorized applications

31 31 Capture password at login ● In a perhaps too-clever way – AuthenticationMetaDataPopulator ● But minimally invasive

32 32 Declaring the Cacher

33 33 Declaring and injecting

34 34 Cache the password ● In an EhCache – So this cache can be shared across CAS server instances in a cluster – Can also be just in-memory

35 35 Expose the password ● Adds a controller

36 36 ClearPassController public ModelAndView handleRequestInternal(request, res) { final String userName = request.getRemoteUser(); if (userName != null) { final String password = this.credentialsCache.get(userName); return new ModelAndView(this.successView, MODEL_CLEARPASS, password); } return returnError("No authentication information provided."); }

37 37 Response from /clearpass endpoint actual_password

38 38 Response from /clearpass endpoint actual_password

39 39 Wait, the password's in the clear? ● Well, no, not really. ● Clearpass callback URL is – Accessed via HTTPS – Request authenticated via Proxy CAS Ticket

40 40 Response from /clearpass endpoint actual_password

41 41 clearPassSuccess.jsp ${fn:escapeXml(credentials)}

42 42 Wait, the password's in the clear? ● Well, no, not really. ● Clearpass callback URL is – Accessed via HTTPS – Request authenticated via Proxy CAS Ticket

43 43 Authenticating to ClearPass ● How do applications authenticate to CAS ClearPass to get the password? – Need to authenticate both the application and participation in a CAS single sign on session

44 44 Authenticated via PT! ● Use the Jasig CAS Client library itself to authenticate applications to the ClearPass CAS extension!

45 45 Uses Jasig Java CAS Client CAS Validation Filter /clearPass CAS HttpServletRequest Wrapper Filter /clearPass

46 46 Uses Jasig Java CAS Client org.jasig.cas.client.validation.Cas20ProxyReceivingTicke tValidationFilter serverName https://my.clearpass.cas.instance/ allowedProxyChains http://my.uportal.edu/CasProxyServlet

47 47 CAS 2.0: Proxy CAS Web application CAS Web browser Back-end application SPGT PT S NetID PGTURL Data

48 48 CAS 2.0: Proxy CAS Web application CAS Web browser CAS ClearPass SPGT PT S NetID PGTURL Password

49 49 uPortal Example

50 Portal Password Replay Password- Protected Service Channel PW

51 Portal Password Replay Password- Protected Service Portlet PW

52 52 ClearPass uPortal module ● https://www.ja-sig.org/svn/cas- extensions/clearpass/tags/clearpass_1_0_0_ga/ clearpass-integration-uportal/ ● Plugin for uPortal's SecurityContext API ● Implements Password Caching API (supports password replay) ● Implements CAS API (supports CAS proxy tickets)

53 Portal Password Replay Alongside PTs Password- Protected Service CAS- Protected Service Portlet PW From ClearPass And PGT from CAS PW PT PW PT PW PT PGT

54 54 Portlets that (can) replay passwords

55 55 Portlets that can use passwords... ● Email preview ● Calendar preview ● Toro Gateway SSO portlet (for credential replay through login forms to achieve end-user SSO experience) ● Web Proxy Portlet ● Your portlet

56 56 Password as just an attribute ● A special, important attribute ● But just a standard JSR 168 user attribute ● Portlet doesn't care whether it came from ClearPass

57 57 SSO into Datatel WebAdvisor ● http://www.ja- sig.org/wiki/display/CASC/CASifying+WebAdv isor http://www.ja- sig.org/wiki/display/CASC/CASifying+WebAdv isor ● ClearPass ● uPortal ● Toro Gateway SSO portlet

58 58 (There's more to this story) ● (Apparently Datatel WebAdvisor has an optional add-on product enabling SSO?) ● (So that might be a better option?) ● (But probably incurs license fees and uses proprietary software?)

59 59 Outlook Web Access example

60 60 Free Software alternatives to OWA ● While ClearPass-infused heroics can be applied to CASify Outlook Web Access... ● You could instead use something under an Open Source license...

61 61 Bill Thompson (!) 's Solution ● http://github.com/wgthom/CasOwa

62 62 CasOwaAuthHandler.cs ● Handles an HTTP request ● Obtains a Proxy Ticket to CAS/clearpass ● Uses PT to obtain password from CAS/clearpass ● Uses password to internally POST to OWA login form, reading resulting session cookies ● Sends session cookies back to end user browser (works since running in OWA) ● Redirects browser to OWA

63 63 Liferay example

64 64 Bill Thompson(!) forum post ● http://bit.ly/ http://bit.ly/ ● liferay_jasig_cas_client_forum_discussion

65 65 Liferay 5 extensions ● http://github.com/wgthom/Cas3Liferay5 http://github.com/wgthom/Cas3Liferay5 ● Use Jasig Java CAS Client library ● Obtain PT ● Use PT to obtain Password from ClearPass ● Place password into session where Liferay expects it ● Portlets use it as normal

66 66 How ClearPass Fits

67 67 ClearPass ● Enables incremental adoption of Enterprise SSO ● Adopt CAS SSO ● Use ClearPass to enable legacy integrations ● Use CAS and CAS delegated authentication wherever you can ● Improvement: incrementally, less proliferation of passwords and use of passwords

68 68 ClearPass Future Subtitle (optional)

69 69 Encrypt the password at rest?

70 70 What about multiple passwords? ● Represent as different ClearPass callback URLs?

71 71 Questions & Answers & Discussion Andrew Petro Software Developer Unicon, Inc. apetro@unicon.net www.unicon.netwww.unicon.net/blog/apetro

72 72 License and Copyleft © Copyright Unicon, Inc., 2008-2010. Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc- sa/3.0/us/ http://creativecommons.org/licenses/by-nc- sa/3.0/us/ http://creativecommons.org/licenses/by-nc- sa/3.0/us/

73 73 Acknowledgments ● Bill Thompson for his excellent work developing and documenting Liferay extensions to use Jasig Java CAS Client 3 and ClearPass and OWA extensions to rely upon ClearPass for SSO into OWA. ● http://www.flickr.com/photos/rollerfan/30522 41108 (Roller derby timeout image; CC-NC 2.0) http://www.flickr.com/photos/rollerfan/30522 41108

Download ppt "ClearPass A CAS Extension Enabling Credential Replay Andrew Petro Unicon, Inc. Jasig 2010 San Diego, CA 09 March 2010 © Copyright Unicon, Inc., 2008-2010."

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Open-source Single Sign-On with CAS (Central Authentication Service)

Open-source Single Sign-On with CAS (Central Authentication Service)
Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.
Central Authentication Service (CAS). What is CAS? JA-SIG Central Authentication Service is an enterprise level, open-source, single sign on solution.

Central Authentication Service (CAS). What is CAS? JA-SIG Central Authentication Service is an enterprise level, open-source, single sign on solution.
Central Authentication Service Roadmap JA-SIG Winter 2004.

Central Authentication Service Roadmap JA-SIG Winter 2004.
CAS-NG A small enhancement to CAS 3 to provide new services.

CAS-NG A small enhancement to CAS 3 to provide new services.
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.

UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.
New uPortal Contributions from the University of Wisconsin-Madison Jim Helwig University of Wisconsin-Madison Eric Dalquist Unicon, Inc. JA-SIG December.

New uPortal Contributions from the University of Wisconsin-Madison Jim Helwig University of Wisconsin-Madison Eric Dalquist Unicon, Inc. JA-SIG December.
UPortal Authentication Options: Design and Application Shawn Bayern Research programmer, Yale University Author, Web Development with JavaServer Pages.

UPortal Authentication Options: Design and Application Shawn Bayern Research programmer, Yale University Author, Web Development with JavaServer Pages.
UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.

UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.

JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
The Central Authentication Service (CAS) Shawn Bayern Research programmer, Yale University Author, JSTL in Action, Web Development with JavaServer Pages.

The Central Authentication Service (CAS) Shawn Bayern Research programmer, Yale University Author, JSTL in Action, Web Development with JavaServer Pages.
Central Authentication Service

Central Authentication Service
Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.

Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.

Similar presentations

Ads by Google