Presentation is loading. Please wait.

Presentation is loading. Please wait.

CAS and Web Single Sign-on at UConn

Published byEllen Garrison Modified over 6 years ago

Similar presentations

Presentation on theme: "CAS and Web Single Sign-on at UConn"— Presentation transcript:

1 CAS and Web Single Sign-on at UConn

2 Preview What authentication is Authentication systems at UConn CAS
What is does How it works Implementing CAS with Web Applications

3 What authentication is
Authenticate identity using a secret (password) Authentication (AuthN) - Authorization (AuthZ) Problem when AuthN=AuthZ

4 Authentication at UConn
Authentication system stores NetID and password One NetID and password for all authentication. Two parallel authentication systems Active Directory MIT Kerberos Password sync and NetID LDAP

5 Single Sign-On One login provides access to many systems. Advantages
User convenience Password security Single Sign-On Systems Kerberos (Active Directory) Not easily integrated with Web browsing

6 Web Single Sign-On Designed for Web browsing Choices CAS (1997?)
PubCookie (1999) Shibboleth (2000) CoSign (2002) OpenID (2005)

7 Single Sign-On with CAS Step 1

8 Single Sign-On with CAS Step 2

9 Single Sign-On with CAS Step 3

10 How CAS works The players
User Web Server CAS Server Kerberos*

11 How CAS works Cookies Cookies keep state information CAS client cookie
Tells client that user is logged in. CAS server cookie Tells CAS server that user has authenticated. Both cookies last until the browser is closed.

12 How CAS works Request to Web Server
User requests page protected by CAS client CAS client checks for CAS client cookie If cookie is found, user is allowed to connect. If no cookie, redirect user to CAS server … guestreg.uconn.edu/cgi-bin/pa_admin.py

13 How CAS works Connection to CAS Server
User connects to CAS server. CAS checks for CAS server cookie. If not found, CAS server present login form. User enters NetID and password. If invalid NetID and password*, resend login. If valid NetID and password, redirect user back to Web server with ticket. j49xSASbuXJUjX9PltOqINab7va79Dg4TK3- 20

14 How CAS works Second Time to the Web Server
User sends ticket to the Web Server Web Server checks ticket with CAS server If valid CAS server returns NetID Web server delivers page and CAS client cookie to user. If invalid CAS server returns error Web server delivers error page to user.

15 The Single Sign-Off problem
There are two cookies: the CAS client and CAS server cookies. If you have a CAS server cookie, login is automatic. Therefore, a Web service cannot log you out as long as you have a CAS server cookie. To be fully logged out, you need to remove both the CAS server cookie and all the CAS client cookies. CAS 3.0 implements a Single Sign-Off method. Current best Single Sign-Off is to close your browser - this removes all CAS cookies.

16 Implementing CAS Web apps
CAS supported by JASIG Official CAS clients Apache Mod-auth-cas appears to Web app like Basic Auth. PHPCas CAS Client for Java 3.0, 3.1 Unofficial CAS clients Pycas Ruby on Rails Perl see sig.org/wiki/display/CASC/Home

17 More Information Official home for CAS http://www.jasig.org/cas
CAS at UConn see CAS link.

Download ppt "CAS and Web Single Sign-on at UConn"

Similar presentations

Open-source Single Sign-On with CAS (Central Authentication Service)

Open-source Single Sign-On with CAS (Central Authentication Service)
Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.

Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.
Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.

Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.

The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.
Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.

Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,

GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,
WEB2P security Java web application security Dr Jim Briggs.

WEB2P security Java web application security Dr Jim Briggs.
An Authorization Service using.NET Passport ™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002 Technion – Israel Institute.

An Authorization Service using.NET Passport ™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002 Technion – Israel Institute.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
UPortal Authentication Options: Design and Application Shawn Bayern Research programmer, Yale University Author, Web Development with JavaServer Pages.

UPortal Authentication Options: Design and Application Shawn Bayern Research programmer, Yale University Author, Web Development with JavaServer Pages.
Infrastructure for Multi-Professional Education and Training Using Shibboleth.

Infrastructure for Multi-Professional Education and Training Using Shibboleth.
CUWebAuth Technical Presentation Pete Bosanko Identity Management Team.

CUWebAuth Technical Presentation Pete Bosanko Identity Management Team.
FlexForm Login form integration Copyright ©2008 Collective Software, LLC.

FlexForm Login form integration Copyright ©2008 Collective Software, LLC.
Conditional access DirectAccess & automatic VPN Desktop Virtualization.

Conditional access DirectAccess & automatic VPN Desktop Virtualization.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Similar presentations

Ads by Google