the central authentication service (cas)
DESCRIPTION
The Central Authentication Service (CAS). Shawn Bayern Research programmer, Yale University Author, JSTL in Action , Web Development with JavaServer Pages JSTL implementation lead (JCP, Apache). Agenda. Introduction to CAS Examples of CAS in action N-tier authentication - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/1.jpg)
The Central Authentication Service (CAS)
Shawn Bayern Research programmer, Yale University Author, JSTL in Action,
Web Development with JavaServer Pages JSTL implementation lead (JCP, Apache)
![Page 2: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/2.jpg)
Agenda
Introduction to CAS Examples of CAS in action N-tier authentication
Using CAS with applications like portals and web-based email
CAS in context CAS at Yale Alternatives to CAS
Summary, URLs, Q&A
![Page 3: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/3.jpg)
Introducing CAS
What is CAS, what does it offer, and how does it function?
![Page 4: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/4.jpg)
What is CAS?
CAS is a single sign-on framework for Web applications Resources that web applications use (e.g.,
mail servers) Why single sign-on?
Convenience and security (unlikely allies)
• Users have to do less• Applications are protected from one another
Content aggregation
![Page 5: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/5.jpg)
Aggregating content → Aggregating authentication
Before After
![Page 6: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/6.jpg)
CAS in a nutshell
BrowserWeb application
Authenticateswithout sending password
Authenticates
via password (once)
Determinesvalidity of user’sclaimedauthentication
![Page 7: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/7.jpg)
Primary benefits of CAS
Works with existing authentication infrastructures, such as Kerberos
Can be used by nearly any Web-application development environment (JSP, Servlets, ASP, Perl, mod_perl, PHP, Python, PL/SQL, and so forth) — or as a server-wide Apache module
Allows "proxy" authentication for Web portals Lets users authenticate securely to untrusted sites
(e.g., student-run sites and third-party vendors) without supplying a password directly
Is portable (written in Java: Servlets, JSP, and JSTL) Is freely available from Yale (with source code)
![Page 8: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/8.jpg)
How CAS really works
Webresource
CAS
Webbrowser
S
C
S T
S T
![Page 9: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/9.jpg)
CAS requirements
CAS uses but does not requireJavaScript
• For consistent, secure redirection
HTTP cookies• For single sign-on
CAS server requires Servlet 2.3, JSP 1.2 container
![Page 10: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/10.jpg)
Side benefits of CAS
Users can be asked to avoid supplying password except to trusted site. Expected URL Known “look and
feel” Authentic peer
certificate (if anyone cares)
![Page 11: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/11.jpg)
Side benefits of CAS
Easy way to “reach” userse.g., to require them to change
password at regular intervals Centralized maintenance
Can change many CAS details without changing client libraries
Unified authenticationCan manage smart cards, Kerberos,
etc. from a single location
![Page 12: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/12.jpg)
CAS examples
Low-level and high-level APIs and tools
![Page 13: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/13.jpg)
Example: Low-level API
Java Servlet that authenticates users
import edu.yale.its.tp.cas.client.ServiceTicketValidator;
ServiceTicketValidator sv = new ServiceTicketValidator();sv.setCasValidateUrl( "https://secure.its.yale.edu/cas/serviceValidate");sv.setService(“http://my/url”);sv.setServiceTicket(request.getParameter(“ticket”));sv.validate();if (sv.isAuthenticationSuccesful()) { System.out.println("user: " + sv.getUser()); // record authentication in HttpSession}
Application
must manage
redirection
to CAS itself
![Page 14: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/14.jpg)
Example: Reusable CAS component
JSP page to authenticate users
<%@ taglib prefix=“cas” uri=“…” %>
<cas:auth var=“username” scope=“session”/>
<p>Welcome, <c:out value=“${username}”/>.If you’ve gotten this far, you are authenticated.Come, make yourself at home.</p>
Redirection
occurs
automatically
![Page 15: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/15.jpg)
Example:Declarative CAS authentication in application server
Servlet 2.3 filter to assert requirement for CAS authentication
<filter> <filter-name>CAS Filter</filter-name> <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name> <param-value>https://secure.its.yale.edu/cas/login</param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name> <param-value>https://secure.its.yale.edu/cas/proxyValidate</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Filter</filter-name> <url-pattern>/filtered/*</url-pattern> </filter-mapping>
Application
simply
retrieves
username
from
HttpSession
![Page 16: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/16.jpg)
Example: Declarative CAS authentication in web server
mod_cas for Apache 1.x, Apache 2.x
Username exposed as CGI environment variable, REMOTE_USER
Or… just protect static content• mod_cas supports “Require user X,Y,Z” and
“Require group” in addition to “Require valid-user”
AuthType CASRequire valid-user
Server manages
authentication.
Application simply
checks with server.
![Page 17: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/17.jpg)
N-Tier Authentication
How can we use CAS in portals, web-based email applications, and other scenarios where non-web resources provide secure data?
![Page 18: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/18.jpg)
The goal
•Portal•Web-mail
•Channel•Mail server
![Page 19: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/19.jpg)
The problem
Applications can authenticate users securely with CAS.
But applications don’t have first-hand knowledge of users’ credentials.
This is a good thing . . .Except that the application can’t
impersonate the user in order to acquire secure data for the user.
![Page 20: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/20.jpg)
CAS’s solution: proxiable credentials
1. During validation of ST, an application acquires a proxy-granting ticket (PGT) from CAS
2. When the application needs access to a resource, it uses the PGT to get a proxy ticket (PT)
3. The application sends the PT to a back-end application.
4. The back-end application confirms the PT with CAS, and also gains information about who proxied the authentication.
![Page 21: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/21.jpg)
Proxiable credentials illustrated
Webresource CAS
S T
Non-webresource
PGT
PGT
PT
PT
PT
-Username
-Identity of web resource
![Page 22: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/22.jpg)
Characteristics of CAS’s solution Back-end applications maintain control over
their data For instance, IMAP server may assert, “The
only web-based email application I trust is https://www.mail.yale.edu/”
Default: no proxies allowed! User logout or timeout destroys subordinate
credentials User must be “present” for proxied
authentication to occur.
![Page 23: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/23.jpg)
CAS in context
How is CAS used at Yale?
Are there alternatives to CAS?
![Page 24: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/24.jpg)
CAS at Yale
Used by systems in support of students and administrators Used occasionally by unprivileged students
Mostly Java and Perl; some ASP Apache module used widely Proxy authentication: incipient deployment
PAM module to be used with email servers CAS to support uPortal deployment
![Page 25: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/25.jpg)
Characteristics of alternative systems Typically require pre-registration
Institution determines security requirements of services. May handle more than just authentication
Session management ACLs Identification Principal translation
May be platform- or server-specific Passport (Windows) Pubcookie
May depend on particular institutional characteristics—e.g., Network topology Service hosting on institutionally managed web servers
CAS’s main advantages: simplicity and generality.
![Page 26: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/26.jpg)
Summary
CAS… is a free single sign-on framework from Yale works with nearly all back-end authentication
subsystems provides secure authentication for both
trusted and untrusted applications CAS supports proxied authentication for
applications like portals and web-based email
![Page 27: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/27.jpg)
URLs
CAS distribution sitehttp://www.yale.edu/tp/cas/
• Whitepapers• Design• Protocol
• Source distribution• License information
My email address [email protected]
![Page 28: The Central Authentication Service (CAS)](https://reader033.vdocuments.net/reader033/viewer/2022050908/56813c94550346895da6430e/html5/thumbnails/28.jpg)
Q&A
Alternative single sign-on systems?
CAS implementation questions?
Statistics?
Comments from schools already using CAS?