exploring cloud credentials for institutional use
DESCRIPTION
Presentation on the use of Social Credentials to access institutional resources.TRANSCRIPT
Exploring Cloud Credential UseLogging in with Facebook or Google Accounts
Overview
• What is CAS?
• Authentication vs Authorization
• What is OAuth?
• How do programmers use OAuth?
• How does CAS work with OAuth?
• Use Cases
• What about security?
• Workflow Comparison
SFU CAS 2013 2
What is CAS?
• Central Authentication Service
• Centralized• One Username for all SFU systems
• Convenient• No need to enter password again
• Trusted• Password never leaves CAS
SFU CAS 2013 3
SFU User Log In Flow
4SFU CAS 2013
Authentication vs Authorization
• Authentication• Verify who you are
• Username + password = Authenticated
• Authorization• What you are allowed to do/see
• Authentication + Role/Group = Authorization
• CAS primarily handles Authentication
SFU CAS 2013 5
Authentication vs Authorization as Access Control
• Authentication• A key to a building
• But all the offices are locked
• Authorization• The key for any given office
• Handed out by the office managers
SFU CAS 2013 6
What is Oauth?
• OAuth is a standard for asking permission• Google and Facebook use OAuth to let other
services ask for permission to access their user’s
information
• Any programmer can use OAuth to provide access
to their applications via Google or Facebook
credentials
• But it’s complicated and there is potential to get it
wrong
SFU CAS 2013 7
How do programmers use OAuth?
SFU CAS 2013 8
Potential SFU Use Cases?
• It’s complicated, but SFU has use cases– Guest Lecturers in Canvas
– Protected shared collaboration spaces with non-SFU
researchers
– Non-SFU email addresses in Maillist
– Continuing Studies students with limited access
requirements
– Anonymous web surveys without duplicate answers
• Anytime the “office manager” would like to provide
access to people who can’t get into the “building”
SFU CAS 2013 9
How does CAS work with OAuth?
• Applications must Opt-In, OAuth is off by
default
• SFU Applications already use CAS
• CAS handles all the complicated
communication on the application’s behalf
• Ensures best practices
• ONLY handles Authentication
• Authorization is still handled by the Application
SFU CAS 2013 10
Non - SFU User Log In Flow
11SFU CAS 2013
What about security?
• Authentication without Authorization does not provide
access to anything
• Authorization remains the domain of the application
• Currently SFU issues thousands of “sponsored”
accounts which is a security concern itself – Encourages shared accounts
– Overloads the system
– Encourages credential reuse
– No accountability
SFU CAS 2013 12
Workflow ComparisonGuest Lecturer needs access to Canvas for one lesson
SFU CAS 2013 13
Current Workflow Proposed Workflow1. Instructor directs Guest to an office administrator for a sponsored account
1. Guest lecturer provides instructor with Google or Facebook username
2. Office administrator contacts IT Services to secure a guest account
2. Instructor adds lecturer’s Google or Facebook username to Canvas course
3. Guest account is issued and password is communicated to office administrator
3. Guest lecturer logs in to Canvas, via CAS, with his Google or Facebook username
4. Office administrator communicates username and password to lecturer and username to instructor
4. Instructor removes Guest lecturer’s account from Canvas after the lesson is complete
5. Instructor adds lecturer’s account name to Canvas course
6. Lecturer logs in to Canvas with provided username and password (hopefully remembering the auto generated password he received from the office administrator)
7. Instructor removes Guest lecturer’s account from Canvas after the lesson is complete
8. Guest account remains active until expiry date
Review
• This will not allow outside applications to access SFU
user information
• SFU developers will need to explicitly apply to the
CAS administrators in order to be granted access to
this feature
• Developers will be trained by CAS staff to ensure
appropriate use of this feature
• SFU developers will need to make explicit allowances
in their application authorization logic to permit
external users
SFU CAS 2013 14
