minimally invasive enterprise idm - internet2 · using existing ldap and cas support to ......
TRANSCRIPT
Minimally Invasive Enterprise IdM
Andrew PetroSoftware Developer
Unicon, Inc.
Fall 2010 Internet2 Membership meetingAtlanta, GA
03 November 2010
© Copyright Unicon, Inc., 2010. Some rights reserved. This work is licensed under aCreative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/
6
Summary
● Using existing LDAP and CAS support to● Shibbolize and enable federated
authentication into a vendor application● With minimal change to the vendor
application
8
What's interesting about this?
● Single sign on● Delegated authentication without credential
replay● Multiple sources of identities, while retaining
Liferay's self-service account creation capabilities
● Minimally invasive, minimal changes required to Liferay
9
The (very) basic idea
● Liferay portal● Moodle learning management system● Jasig CAS single sign on between these
Jasig CAS: Single Sign On
Liferay: portal
Moodle: learning
management system
15
The basic idea
● Create accounts (via Liferay) and store in OpenLDAP
● Authenticate users via CAS (against LDAP)● Moodle and Liferay query LDAP for attributes
CAS
Liferay MoodleOpenLDAP
18
Most of the idea
● Create accounts (via LR) and store in LDAP● Authenticate users via CAS (against LDAP)● Moodle and Liferay query LDAP for attributes● Users delegate ability to access Moodle to
Liferay via CAS
CAS
Liferay MoodleOpenLDAP
28
Passwords are problematic
● My password is “johan”
● Your password will vary– Depending on the
name of your dog
33
Delegated Authentication
● System B authenticates to System C on behalf of Person A
● That is, A delegates authentication to B for the purpose of authenticating to C
System B System C
Person A
35
Credential Replay
● Special (blunt) case of delegated authentication
● System B can authenticate on behalf of Person A because B borrows the credentials (password!) of A
Liferay
Email Portlet
IMAP ServerPassword
Portal
Password Replay
Password-Protected Service
Password-Protected Service
Password-Protected Service
Portlet
Portlet
Portlet
PW
PW
PW
PW
PW
PW
PW
PW
PW
PW
PW
37
Authenticating Services to Services
● Credential replay?● Service credentials and trust relationships?● Topological restrictions?
● Sure, but what about the “on behalf of a user” part?
38
CAS proxy tickets
Liferay
MyCoursesPortlet
Moodle
CAS “proxy ticket” - not end user password
XML representing course data
CAS client library
39
Delegated SAML Assertions
Liferay
MyCoursesPortlet
Moodle
Delegated SAML Assertion - not end user password
XML representing course data
ShibSPe.g.
41
Federated Authentication
● Like Single Sign-On● With multiple providers of identity (“Identity
Providers” == IdPs)
43
Liferay
● Supports multiple means of authentication– Including CAS
● Supports syncing in user attributes and user groupings from LDAP
● Does not particularly support SAML or Shibboleth
45
CASShib
● Open source CAS extensions
● Allowing CAS to bridge to Shibboleth
● Applications consume CAS abstraction
● CASShib implements Shibboleth to allow federation
Moodle Liferay
CAS
Shib SP
OpenLDAP(WRI
accounts)
Shib IdP
Netacad Credential
Store
46
Minimally Invasive Advanced IdM
FederationCASShib
LDAP
Liferay
Account Creation
User Attributes
Authentication
Via CAS abstraction SAML
47
Minimally invasive Advanced IdM● Configure Liferay to
use CAS (CASShib)● Configure CASShib
to bridge to Shib● JIT provision
OpenLDAP from CASShib (customized login Web flow)
● Configure LR to consume attributes from LDAP
● Ta da! Liferay is effectively Shibbolized, without having to modify Liferay to particularly support SAML for authentication or as a source of user attributes
48
Minimally Invasive Advanced IdM
FederationCASShib
LDAP
Liferay
Account Creation
User Attributes
Authentication
Via CAS abstraction SAML
49
What's interesting about this?
● Single sign on● Delegated authentication without credential
replay● Multiple sources of identities, while retaining
Liferay's self-service account creation capabilities
● Minimally invasive, minimal changes required to Liferay
51
ClearPass
● Free and Open Source Software● Extending CAS to...
– capture the end user's password at login
– And selectively release this password to authorized applications
● Like, say, an enterprise portal
Portal
Password Replay Alongside PTs
Password-Protected Service
Password-Protected Service
CAS-Protected Service
Portlet
Portlet
Portlet
PWFrom ClearPassAnd PGT from CAS
PW
PW
PW
PT
PW
PW
PT
PW
PW
PT
PGT
53
Liferay 5 extensions
● http://github.com/wgthom/Cas3Liferay5● Use Jasig Java CAS Client library● Obtain PT● Use PT to obtain Password from ClearPass● Place password into session where Liferay
expects it● Portlets use it as normal
54
Summary
● Using existing LDAP and CAS support to● Shibbolize and enable federated
authentication into a vendor application● With minimal change to the vendor
application