Download presentation
Presentation is loading. Please wait.
Published byDaniel Kirkpatrick Modified over 10 years ago
1
Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium
2
Open-source Single Sign-On with CAS Single Sign-On –Why SSO? –The main principles of web SSO –The choice of CAS CAS (Central Authentication Service) –How does it work? –How to CAS-ify applications Web applications Non-web applications Limits The effort of the ESUP-Portail consortium around CAS
3
Why Single Sign-On? Unique accounts but several authentications –Each time users access an application Security (password stealing) –Protect password transmission –Do not transmit passwords to applications Simplify applications Delegate developments without delegating authentication Abstract authentication –LDAP, NIS, database, NT, Active Directory, X509 certificates, …
4
SSO: the users point of view web browser app. #1app. #2app. #3 without SSO service web browser app. #1app. #2app. #3 with SSO service
5
SSO: principles on the web Authentication is centralized –One (redundant) authentication server Transparent HTTP redirections –From applications to the authentication server (when not authenticated) –From the authentication server to applications (when authenticated) Tokens propagate identities –Cookies, CGI parameters
6
CAS: why did we choose it? Security –Password is never transmitted to applications –Opaque tickets are used N-tier installations –Without transmitting any password! Portability (client libraries) –Java, Perl, JSP, ASP, PHP, PL/SQL, Apache and PAM modules Permanence –Developed by Yale University –World-wide used (mainly Universities) –Adopted by all the French educational community J2EE platform –Very light code (about 1000 lines) Open source Integrated into uPortal
7
web browser app. #1app. #2app. #3 with CAS service CAS: why did we choose it? web browser app. #1app. #2app. #3 authentication server without SSO user database service netId password
8
web browser app. #1app. #2app. #3 with CAS service CAS: why did we choose it? web browser app. #1app. #2app. #3 authentication server without SSO user database service netId password
9
User authentication CAS server HTTPS web browser
10
User authentication TGC: Ticket Granting Cookie –Users passport to the CAS server –Private and protected cookie (the only one used by CAS, optional) –Opaque re-playable ticket CAS server netId password HTTPS user database web browser TGC
11
Accessing an application after authentication web browser CAS server TGC HTTPS application TGC ST ST: Service Ticket –Browsers passport to the CAS client (application) –Opaque and non re-playable ticket –Very limited validity (a few seconds) ID
12
Accessing an application after authentication CAS server HTTPS TGC ST ID web browser TGC Redirections are transparent to users application ST: Service Ticket –Browsers passport to the CAS client (application) –Opaque and non re-playable ticket –Very limited validity (a few seconds)
13
Accessing an application without authentication web browser CAS server HTTPS Authentication form application
14
Accessing an application without authentication web browser CAS server TGC HTTPS ST ID netId password ST TGC No need to be previously authenticated to access an application application
15
Remarks Once a TGC acquired, authentication is transparent for the access to any CAS-ified application of the workspace Once authenticated by an application, a session should be used between the browser and the application
16
Authenticating users with CAS CAS authentication left to administrators ESUP-Portail CAS Generic Handler –Mixed authentication –XML configuration LDAP directory databaseNIS domain X509 certificates Kerberos domain Windows NT domain flat files CAS server
17
Using the ESUP-Portail CAS GH org.esupportail.cas.server.handlers.ldap.FastBindLdapHandler uid=%u,ou=people,dc=esup-portail,dc=org ldap://ldap.esup-portail.org org.esupportail.cas.server.handlers.nis.NisHandler ESUP-PORTAIL pammd5 nismaster.esup-portail.org nisslave.esup-portail.org
18
CAS-ifying a web application Use provided libraries Add a few lines of code Note: you can also protect static resources –With mod_cas, an Apache module
19
CAS-ifying a web application An example using phpCAS (ESUP-Portail) Successfull Authentication! User's login:.
20
N-tier installations PGT: Proxy Granting Ticket –Applications passport for a user to the CAS server –Opaque and re-playable ticket web browser CAS server TGC application (CAS proxy) ST service ID PGT
21
application (CAS proxy) N-tier installations web browser CAS server TGC ST service PGT PT ID PGT PGT: Proxy Granting Ticket –Applications passport for a user to the CAS server –Opaque and re-playable ticket PT : Proxy Ticket –Applications passport for a user to a tier service –Opaque and non re-playable ticket –Very limited validity PT
22
CAS-ifying a non web application One of the strongest points of CAS Use the pam_cas PAM module Example of PAM configuration: auth sufficient /lib/security/pam_ldap.so auth sufficient /lib/security/pam_pwdb.so shadow nullok auth required /lib/security/pam_cas.so
23
pam_cas The pam_cas PAM module Pam_cas authenticates users with a CAS ticket pam_pwdb client application pam_ldap LDAP directory login/password /etc/passwd login/password client application CAS server ticket server application login/ticket
24
CAS-ifying an IMAP server Objectives –Access an IMAP server from a web application that does not know the password of the user connected –Let traditional mail clients authenticate normally (with a password) –Do not modify the IMAP server The solution: pam_cas :-)
25
pam_cas CAS-ifying an IMAP server pam_pwdb traditional mail client pam_ldap LDAP directory login / password /etc/passwd login / password CAS-ified webmail (CAS proxy) login / PT CAS server PT web browser ST IMAP server
26
pam_cas pam_pwdb pam_ldap CAS-ifying Cyrus IMAPd traditional mail client LDAP directory login / password /etc/passwd CAS-ified webmail (CAS proxy) CAS server PT web browser ST sasl Cyrus imapd login / PT
27
pam_cas pam_pwdb pam_ldap sasl CAS-ifying Cyrus IMAPd traditional mail client Cyrus imapd LDAP directory login / password /etc/passwd CAS-ified webmail (CAS proxy) login / PT CAS server PT web browser ST sasl_authd cache Unix socket Cyrus IMAP daemon sasl_authd daemon Cache efficiency: 95%
28
Limits (and perspectives) CAS deals with authentication, not authorization –Mixing CAS and Shibboleth? No redundancy –No native load-balancing (but low load) –No fault-tolerance(but very good reliability) No Single Sign-Off A very poor documentation
29
The effort of the ESUP-Portail consortium Writing documentation Adding libraries (phpCAS, esup-mod_cas, esup-pam_cas) Adding features to the CAS server –Authentication handlers (LDAP, NIS, files, databases, NT domains, …) –Mixed authentication –Authentication debug mode –Rendering customization (appearance, internationalization) –CAS quick start (Jakarta Tomcat + Yale CAS server + CAS GH) Supporting the French CAS community –Through forums and mailing lists
30
Enjoy CAS!
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.