uportal and the yale central authentication service drew mazurek its technology & planning yale...

uPortal and the Yale Central uPortal and the Yale Central Authentication ServiceAuthentication Service

Drew MazurekDrew Mazurek

ITS Technology & PlanningITS Technology & Planning

Yale UniversityYale University

JA-SIG Summer Conference ‘04

Denver, CO

June 21, 2004

What’s coming up…What’s coming up…

CAS overviewCAS overview

n-tier authentication problemn-tier authentication problem

uPortal and CAS integrationuPortal and CAS integration

CAS channel examplesCAS channel examples

QuestionsQuestions

DiscussionDiscussion

CAS in a nutshellCAS in a nutshell

BrowserWeb application

Authenticateswithout sending password

Authenticates

via password (once)

Determinesvalidity of user’sclaimedauthentication

How CAS WorksHow CAS Works

Webapplication

CAS

Webbrowser

S

C

T

S T

NetID


Portal

Channel


Portal

Channel

Channel

Channel

Password-protectedservice



PWPW

PWPW

PWPW

PWPW

PWPW

PWPW

PWPW

PWPW

PWPW

PWPW

PWPW

Password caching


uPortal can authenticate users securely uPortal can authenticate users securely with CASwith CAS

But it does not know about users’ primary But it does not know about users’ primary credentialscredentials

This is a good thing, except uPortal can’t This is a good thing, except uPortal can’t impersonate the user in order to acquire impersonate the user in order to acquire secure data for the usersecure data for the user

CAS 2.0: Proxy CASCAS 2.0: Proxy CAS

Webapplication

CAS

Webbrowser

S

C

ST

S T

NetID

PGTURL

PGTIOU

PGTIOUPGT

https listener•

CAS 2.0: Proxy CASCAS 2.0: Proxy CAS

Webapplication

CAS

Webbrowser

Back-endapplication

S PGT

PT

PTPT S

NetID

PGTURL

Data

CAS Security ProviderCAS Security Provider

Uses CAS for primary authenticationUses CAS for primary authenticationUses the CAS ProxyTicketReceptor Uses the CAS ProxyTicketReceptor

servlet included with CAS Client servlet included with CAS Client distributiondistribution

Exposes a public method to channels to Exposes a public method to channels to get a proxy ticket for a particular serviceget a proxy ticket for a particular service

Back-end systems must be configured to Back-end systems must be configured to accept and validate proxy credentials from accept and validate proxy credentials from uPortaluPortal

uPortal withuPortal withCAS ProviderCAS Provider

CAS

T

Channelresource

PGT IOU

PGT

PT

PT

PT

-Username

-Identity of proxy (portal)

CAS SecurityContext

Channel

getProxyTicket(pgtIou,service)

CASTicketReceptorServlet

getCasServiceToken

PGT

PT

PT

PT

PGTURL

PGT IOU

CAS, uPortal, and other CAS, uPortal, and other applications at Yaleapplications at Yale

Simple service-ticket authenticationSimple service-ticket authentication IMP webmailIMP webmailEmail Account Configuration ToolEmail Account Configuration Tool

Single-tier proxy-ticket authenticationSingle-tier proxy-ticket authenticationMeeting MakerMeeting Maker

Multi-tier proxy-ticket authenticationMulti-tier proxy-ticket authenticationRecent Email ChannelRecent Email Channel

IMP WebmailIMP Webmail

https://www.mail.yale.edu:8444/horde/imp/redirect_cas.php?url=mailbox.php%3Dview_message

%3F97552


1.1. User clicks on link in Recent Email User clicks on link in Recent Email channelchannel



2.2. New browser window opens, going to New browser window opens, going to https://www.mail.yale.edu:8444/horde https://www.mail.yale.edu:8444/horde /imp/redirect_cas.php?url=mailbox.php/imp/redirect_cas.php?url=mailbox.php%3Fview_message%3D97552%3Fview_message%3D97552



2.2. New browser window opens, going to New browser window opens, going to https://www.mail.yale.edu:8444/horde https://www.mail.yale.edu:8444/horde /imp/redirect_cas.php?url=mailbox.php/imp/redirect_cas.php?url=mailbox.php%3Fview_message%3D97552%3Fview_message%3D97552

3.3. IMP stores destination URL/message as IMP stores destination URL/message as session variable, and redirects the session variable, and redirects the browser to CASbrowser to CAS


4.4. Upon return from CAS, IMP validates Upon return from CAS, IMP validates CAS CAS service ticketservice ticket and then shows the and then shows the requested email messagerequested email message



But how is the user authenticated to the But how is the user authenticated to the IMAP server?IMAP server?



But how is the user authenticated to the But how is the user authenticated to the IMAP server?IMAP server?

IMP normally wants to replay cached IMP normally wants to replay cached primary credentialsprimary credentials

IMP Webmail – CAS PAM moduleIMP Webmail – CAS PAM module

IMP CAS

STIMAP serverCAS PAM

modulePGT

PGT

PT

PT

PT

- NetID

- IMP’s proxy callback URL (unique ID)

Email Account Configuration ToolEmail Account Configuration Tool

Configures aspects of Yale email accounts Configures aspects of Yale email accounts including mail forwarding, filtering, and including mail forwarding, filtering, and spam managementspam management

CASified one year agoCASified one year ago


Linked in uPortal as:Linked in uPortal as:

https://secure.its.yale.edu/cas/login ?https://secure.its.yale.edu/cas/login ?service=https://config.mail.yale.edu service=https://config.mail.yale.edu /account-tool/main/account-tool/main




Simple service ticket-only authenticationSimple service ticket-only authentication




Simple service ticket-only authenticationSimple service ticket-only authenticationTakes advantage of single sign-onTakes advantage of single sign-on


https://secure.its.yale.edu/cas/login?service= https://secure.its.yale.edu/cas/login?service= https://config.mail.yale.edu/account-tool/main https://config.mail.yale.edu/account-tool/main

Meeting MakerMeeting Maker


Meeting Maker, Inc. provides a Java API Meeting Maker, Inc. provides a Java API to access calendaring datato access calendaring data

A Java servlet uses the API to retrieve A Java servlet uses the API to retrieve data and provide an XML feed to the portaldata and provide an XML feed to the portal

The servlet doesn’t know about the user’s The servlet doesn’t know about the user’s MM password – it uses a master MM MM password – it uses a master MM server password to access the dataserver password to access the data


MeetingMakerServlet

uPortalMeetingMakerServer XML

MM admin PW

CAS

PT

PT S

NetID

ProxyID

NetID

MM data

PT

PGT

S


Channel authentication performed through Channel authentication performed through CAS Java Servlet filter (included in CAS CAS Java Servlet filter (included in CAS client library)client library)

uPortal’s CAS proxy callback URL uPortal’s CAS proxy callback URL configured in web application’s configured in web application’s deployment descriptor:deployment descriptor:

<init-param><init-param> <param-name>edu.yale.its.tp.cas.client.filter.authorizedProxy</param-name><param-name>edu.yale.its.tp.cas.client.filter.authorizedProxy</param-name> <param-value>https://portal.yale.edu/CasProxyServlet</param-value><param-value>https://portal.yale.edu/CasProxyServlet</param-value></init-param></init-param>

Recent Email ChannelRecent Email Channel


Displays 10 most recent email messagesDisplays 10 most recent email messagesMulti-tier CAS proxy authenticationMulti-tier CAS proxy authenticationSame design as Meeting MakerSame design as Meeting Maker

servlet pulls data from back-end source, servlet pulls data from back-end source, returns as XMLreturns as XML

Different authentication from MMDifferent authentication from MM IMAP server accepts CAS proxy tickets and IMAP server accepts CAS proxy tickets and

validates them with the CAS PAM modulevalidates them with the CAS PAM module


EmailServlet uPortal

IMAPServer

CAS

PT

PGT

S



IMAPServer

CAS

PT

PT

NetIDProxyID

S

PGTURL

PGTIOUPGT



IMAPServer

XML

CAS

PGT

PT

NetID

IMAP session

S

PT

PT

NetID

ProxyIDs


Can’t use CAS filter because it must Can’t use CAS filter because it must obtain proxy tickets to pass to IMAPobtain proxy tickets to pass to IMAP

Uses the CAS ProxyTicketValidator for Uses the CAS ProxyTicketValidator for authentication (included with CAS client authentication (included with CAS client library)library)getProxyTicket()getProxyTicket()

Current beta of CAS filter provides support Current beta of CAS filter provides support for acquiring proxy ticketsfor acquiring proxy tickets

SummarySummary

Simple CAS authenticationSimple CAS authentication


CAS’s solution: Proxy CASCAS’s solution: Proxy CAS

uPortal and CAS Security ProvideruPortal and CAS Security Provider

SummarySummary

uPortal, CAS, and other applicationsuPortal, CAS, and other applicationsSimple service ticket authenticationSimple service ticket authentication

IMP WebmailIMP WebmailEmail Account Configuration ToolEmail Account Configuration Tool

Single-layer proxy ticket authenticationSingle-layer proxy ticket authenticationMeeting MakerMeeting Maker

Multi-layer proxy ticket authenticationMulti-layer proxy ticket authenticationRecent Email ChannelRecent Email Channel

Questions?Questions?

For more informationFor more information

Drew Mazurek <[email protected]>Drew Mazurek <[email protected]> CAS Web SiteCAS Web Site

http://www.yale.edu/tp/cashttp://www.yale.edu/tp/cas CAS Mailing ListCAS Mailing List

[email protected]@tp.its.yale.eduhttp://tp.its.yale.edu/mailman/listinfo/cashttp://tp.its.yale.edu/mailman/listinfo/cas

This presentationThis presentationhttp://www.yale.edu/tp/cas/cas-jasig-2004.ppthttp://www.yale.edu/tp/cas/cas-jasig-2004.ppthttp://www.yale.edu/tp/cas/cas-jasig-2004.htmhttp://www.yale.edu/tp/cas/cas-jasig-2004.htm

uportal and the yale central authentication service drew mazurek its technology & planning yale...

Documents

cas uportal

authentication slide

cas integration uportal

uportal slide

cas security provider

cas client distribution

user slide

proxy ticket