Presentation is loading. Please wait.

Presentation is loading. Please wait.

CUWebAuth and CUWebLogin 2.0

Published byปวีณา ตั้งตระกูล Modified over 5 years ago

Similar presentations

Presentation on theme: "CUWebAuth and CUWebLogin 2.0"— Presentation transcript:

1 CUWebAuth and CUWebLogin 2.0
Identity Management Team Campus Developers Meeting June 4, 2008

2 K5 Migration Project Testing Discretionary migration window Buffer
CUWA 2.0 Alpha CUWA 2.0 Beta K5 Permit Server CUWA 2.0 Production Release You Are Here Campus Rollout Complete K4 Shutdown? 2008 2009 Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun WebAuth2 is being developed as part of the Kerberos 5 migration project. We expect to shutoff Kerberos 4 by the end of the year Testing Discretionary migration window Buffer

3 https://confluence. cornell

4

5

6 https://confluence.cornell.edu/display/CUWAL/CUWebAuth+2.0
Documentation

7 What's New in 2.0 Kerberos 5 only Open-source GSSAPI Better Security
Better Performance Simplified Administration Flexible Authorization Model New POST Data Handling Better Support

8 Changes for Kerberos 5 Keytabs not Srvtabs
ServiceID Self-Service Application Create your own keytabs Create your own ServiceID Delegate authority No More SideCar No More Legacy CUSSP Library

9 Open System Documented Standards-based API's
Full Source Code Available Localize Porting Customization

10 Custom Tools Credential Creation & Parsing PermitG / Grouper lookup
There’s a separate C library for handling credentials. Credentials are used in cookies and query strings in the context of CUWA and CUWL. Format is well documented, so implementation in other languages is possible. There’s a separate C library for permit lookup. Grouper access is via LDAP which is supported in most languages.

11 GSSAPI IETF - RFC 2743 C Bindings Java Bindings Wide OS Acceptance
The credentials are based on the Generic Security Standard. Combination of wire protocol and language bindings. Supported just about everywhere.

12 Better Security CUWebLogin - Kerberos Proxy No Credential Minting
Better MITM Attack Prevention

13 Performance CUWebLogin 1.0 CUWebLogin 2.0 20 logins/sec per server
Single Server CUWebLogin 2.0 200+ logins/sec per server Load Balanced 4 Servers

14 WebAuth Administration
Fewer Directives 26 Directives Obsolete 5-6 New Ones Better Logging Fine Grained .htaccess VirtualHost Security Domain

15 Flexible Authorization (Active Content)
New Directives, more than remote-user… Allow anonymous access List group permissions Pass cuwa-groups to application How long ago did user login? Inspect cuwa-auth-time Pass cuwa-delegated-cred to application Some new directives to allow active content to have more control of authorization.

16 POST Data No More “Click to Continue” POST Data Handled By WebAuth
Request Data Stays at Website Can Handle Larger POSTs Same Support Apache / IIS POST data support has been revamped.

17 Better Support Apache and IIS – One Code Base 64-bit clean Thread safe
No Name Collisions Shared Library Compatibility (Unix) Problem with Binary? Rebuilt It! Short List of Binaries RedHat, Solaris, Windows Apache 2.0, 2.2, IIS 6 Wiki Documentation In the end our efforts are geared toward improving our ability to support CUWebAuth.

18 Release Schedule Apache Go-Live: Now IIS Go-Live: one month-ish

19 Q&A Pete Bosanko pb10@cornell.edu Tom Parker jtp5@cornell.edu
Duck and cover

Download ppt "CUWebAuth and CUWebLogin 2.0"

Similar presentations

Line Efficiency     Percentage Month Today’s Date

Line Efficiency     Percentage Month Today’s Date
Unit Number Oct 2011 Nov 2011 Dec 2011 Jan 2012 Feb 2012 Mar 2012 Apr 2012 May 2012 Jun 2012 Jul 2012 Aug 2012 Sep 2012 1 2 3 4 5 6 (3/4 Unit) 7 8 Units.

Unit Number Oct 2011 Nov 2011 Dec 2011 Jan 2012 Feb 2012 Mar 2012 Apr 2012 May 2012 Jun 2012 Jul 2012 Aug 2012 Sep (3/4 Unit) 7 8 Units.
CUWebAuth Technical Presentation Pete Bosanko Identity Management Team.

CUWebAuth Technical Presentation Pete Bosanko Identity Management Team.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
AFS & Kerberos Best Practices Workshop 2008 Design Goals Functions that require authentication Solution Space Kerberos, GSSAPI or SASL (Decide on your.

AFS & Kerberos Best Practices Workshop 2008 Design Goals Functions that require authentication Solution Space Kerberos, GSSAPI or SASL (Decide on your.
HSPcomplete Advanced Q&A Alex Blinov, title Dennis Sherbakov, title Tuesday, May 8, 2007.

HSPcomplete Advanced Q&A Alex Blinov, title Dennis Sherbakov, title Tuesday, May 8, 2007.
CIT’s Web Single Sign-on Service SRM Report CUWebAuth Investigation Identity Management Team OIT/CIT Security April 16, 2007.

CIT’s Web Single Sign-on Service SRM Report CUWebAuth Investigation Identity Management Team OIT/CIT Security April 16, 2007.
Tools Report Engineering Node March 2007

Tools Report Engineering Node March 2007
Windows Server 2008 R2 Oct 2009 Windows Server 2003

Windows Server 2008 R2 Oct 2009 Windows Server 2003
Jan 2016 Solar Lunar Data.

Jan 2016 Solar Lunar Data.
Https://www.officetimeline.com/14-days-trial.

Q1 Jan Feb Mar ENTER TEXT HERE Notes

Q1 Jan Feb Mar ENTER TEXT HERE Notes
Https://www.officetimeline.com/14-days-trial.

Project timeline # 3 Step # 3 is about x, y and z # 2

Project timeline # 3 Step # 3 is about x, y and z # 2
Average Monthly Temperature and Rainfall

Average Monthly Temperature and Rainfall
Comparative Statistics June 2017

Comparative Statistics June 2017
Https://www.officetimeline.com/14-days-trial.

Https://www.officetimeline.com/14-days-trial.

80-Hour SHARP Certification Course Schedule

80-Hour SHARP Certification Course Schedule
What’s changed in the Shibboleth 1.2 Origin

What’s changed in the Shibboleth 1.2 Origin

Similar presentations

Ads by Google