1. February, 2012 2TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS

2. Overview of Shiro Open Source Application Security Library developed as part of Apache Software Foundation Simplifies or replaces Java’s Security Mechanism (JAAS) to primarily provide Authentication and Authorization capabilities Allows capabilities to connect to different realms (identity providers) such as database, LDAP etc. for authenticating users Provides Authorization capabilities at Permission and Roles level Provide consistent session management (irrespective of the container) 2

3. Usage of Shiro in TRANSCEND Tolven v2.1 uses Shiro as its Authentication and Authorization Framework Shiro uses LDAP Realm to connect to OpenDS in back end for:  Authentication of the user  Retrieve Authorization Policy (Roles) for the user OpenDS is a replacement for OpenLDAP and contains:  User Credentials  User Roles stored as attributes Tolven is responsible for migration of user accounts from OpenLDAP to OpenDS as part of overall Tolven upgrade 3

4. Impact for Proposed 2TRANSCEND SSO Soln. No Immediate Impact Shiro and CAS are complementary technologies  Shiro – Used for Local Authentication and Simple Single Sign On*  CAS – Used for Enterprise-wide Single Sign On Shiro can participate in a CAS-based SSO framework by acting as a CAS SSO client (using Shiro/CAS plug-in) In future, Tolven can be part of SSO framework by leveraging the Shiro CAS plug-in and without any changes to the system For OpenDS, CAS should be able to connect to it as an Identity Provider  OpenDS exposes a standard LDAP Interface * Shiro’s SSO capabilities are limited 4

5. 2TRANSCEND Single Sign On Architecture 5 Client Browser Target Web App SSO Client (CAS) SSO Server (CAS) OpenDS 1. Request Login 2. Provide Credentials 4. Issue SSO Ticket 5. Present SSO Ticket 5. Log User In 3. Validate Credentials Target Web App Container Tolven Shiro/ CAS Plug-in 5. Log User In Tolven Container 1a. Request Login 5a. Present SSO Ticket FUTURE

6. Questions ? Thank You 6