uportal and the yale central authentication service drew mazurek its technology & planning yale...
Post on 20-Dec-2015
221 views
TRANSCRIPT
uPortal and the Yale Central uPortal and the Yale Central Authentication ServiceAuthentication Service
Drew MazurekDrew Mazurek
ITS Technology & PlanningITS Technology & Planning
Yale UniversityYale University
JA-SIG Summer Conference ‘04
Denver, CO
June 21, 2004
What’s coming up…What’s coming up…
CAS overviewCAS overview
n-tier authentication problemn-tier authentication problem
uPortal and CAS integrationuPortal and CAS integration
CAS channel examplesCAS channel examples
QuestionsQuestions
DiscussionDiscussion
CAS in a nutshellCAS in a nutshell
BrowserWeb application
Authenticateswithout sending password
Authenticates
via password (once)
Determinesvalidity of user’sclaimedauthentication
How CAS WorksHow CAS Works
Webapplication
CAS
Webbrowser
S
C
T
S T
NetID
n-tier authentication problemn-tier authentication problem
Portal
Channel
n-tier authentication problemn-tier authentication problem
Portal
Channel
Channel
Channel
Password-protectedservice
Password-protectedservice
Password-protectedservice
PWPW
PWPW
PWPW
PWPW
PWPW
PWPW
PWPW
PWPW
PWPW
PWPW
PWPW
Password caching
n-tier authentication problemn-tier authentication problem
uPortal can authenticate users securely uPortal can authenticate users securely with CASwith CAS
But it does not know about users’ primary But it does not know about users’ primary credentialscredentials
This is a good thing, except uPortal can’t This is a good thing, except uPortal can’t impersonate the user in order to acquire impersonate the user in order to acquire secure data for the usersecure data for the user
CAS 2.0: Proxy CASCAS 2.0: Proxy CAS
Webapplication
CAS
Webbrowser
S
C
ST
S T
NetID
PGTURL
PGTIOU
PGTIOUPGT
https listener•
CAS 2.0: Proxy CASCAS 2.0: Proxy CAS
Webapplication
CAS
Webbrowser
Back-endapplication
S PGT
PT
PTPT S
NetID
PGTURL
Data
CAS Security ProviderCAS Security Provider
Uses CAS for primary authenticationUses CAS for primary authenticationUses the CAS ProxyTicketReceptor Uses the CAS ProxyTicketReceptor
servlet included with CAS Client servlet included with CAS Client distributiondistribution
Exposes a public method to channels to Exposes a public method to channels to get a proxy ticket for a particular serviceget a proxy ticket for a particular service
Back-end systems must be configured to Back-end systems must be configured to accept and validate proxy credentials from accept and validate proxy credentials from uPortaluPortal
uPortal withuPortal withCAS ProviderCAS Provider
CAS
T
Channelresource
PGT IOU
PGT
PT
PT
PT
-Username
-Identity of proxy (portal)
CAS SecurityContext
Channel
getProxyTicket(pgtIou,service)
CASTicketReceptorServlet
getCasServiceToken
PGT
PT
PT
PT
PGTURL
PGT IOU
CAS, uPortal, and other CAS, uPortal, and other applications at Yaleapplications at Yale
Simple service-ticket authenticationSimple service-ticket authentication IMP webmailIMP webmailEmail Account Configuration ToolEmail Account Configuration Tool
Single-tier proxy-ticket authenticationSingle-tier proxy-ticket authenticationMeeting MakerMeeting Maker
Multi-tier proxy-ticket authenticationMulti-tier proxy-ticket authenticationRecent Email ChannelRecent Email Channel
IMP WebmailIMP Webmail
https://www.mail.yale.edu:8444/horde/imp/redirect_cas.php?url=mailbox.php%3Dview_message
%3F97552
IMP WebmailIMP Webmail
IMP WebmailIMP Webmail
1.1. User clicks on link in Recent Email User clicks on link in Recent Email channelchannel
IMP WebmailIMP Webmail
1.1. User clicks on link in Recent Email User clicks on link in Recent Email channelchannel
2.2. New browser window opens, going to New browser window opens, going to https://www.mail.yale.edu:8444/horde https://www.mail.yale.edu:8444/horde /imp/redirect_cas.php?url=mailbox.php/imp/redirect_cas.php?url=mailbox.php%3Fview_message%3D97552%3Fview_message%3D97552
IMP WebmailIMP Webmail
1.1. User clicks on link in Recent Email User clicks on link in Recent Email channelchannel
2.2. New browser window opens, going to New browser window opens, going to https://www.mail.yale.edu:8444/horde https://www.mail.yale.edu:8444/horde /imp/redirect_cas.php?url=mailbox.php/imp/redirect_cas.php?url=mailbox.php%3Fview_message%3D97552%3Fview_message%3D97552
3.3. IMP stores destination URL/message as IMP stores destination URL/message as session variable, and redirects the session variable, and redirects the browser to CASbrowser to CAS
IMP WebmailIMP Webmail
4.4. Upon return from CAS, IMP validates Upon return from CAS, IMP validates CAS CAS service ticketservice ticket and then shows the and then shows the requested email messagerequested email message
IMP WebmailIMP Webmail
4.4. Upon return from CAS, IMP validates Upon return from CAS, IMP validates CAS CAS service ticketservice ticket and then shows the and then shows the requested email messagerequested email message
But how is the user authenticated to the But how is the user authenticated to the IMAP server?IMAP server?
IMP WebmailIMP Webmail
4.4. Upon return from CAS, IMP validates Upon return from CAS, IMP validates CAS CAS service ticketservice ticket and then shows the and then shows the requested email messagerequested email message
But how is the user authenticated to the But how is the user authenticated to the IMAP server?IMAP server?
IMP normally wants to replay cached IMP normally wants to replay cached primary credentialsprimary credentials
IMP Webmail – CAS PAM moduleIMP Webmail – CAS PAM module
IMP CAS
STIMAP serverCAS PAM
modulePGT
PGT
PT
PT
PT
- NetID
- IMP’s proxy callback URL (unique ID)
Email Account Configuration ToolEmail Account Configuration Tool
Configures aspects of Yale email accounts Configures aspects of Yale email accounts including mail forwarding, filtering, and including mail forwarding, filtering, and spam managementspam management
CASified one year agoCASified one year ago
Email Account Configuration ToolEmail Account Configuration Tool
Linked in uPortal as:Linked in uPortal as:
https://secure.its.yale.edu/cas/login ?https://secure.its.yale.edu/cas/login ?service=https://config.mail.yale.edu service=https://config.mail.yale.edu /account-tool/main/account-tool/main
Email Account Configuration ToolEmail Account Configuration Tool
Linked in uPortal as:Linked in uPortal as:
https://secure.its.yale.edu/cas/login ?https://secure.its.yale.edu/cas/login ?service=https://config.mail.yale.edu service=https://config.mail.yale.edu /account-tool/main/account-tool/main
Simple service ticket-only authenticationSimple service ticket-only authentication
Email Account Configuration ToolEmail Account Configuration Tool
Linked in uPortal as:Linked in uPortal as:
https://secure.its.yale.edu/cas/login ?https://secure.its.yale.edu/cas/login ?service=https://config.mail.yale.edu service=https://config.mail.yale.edu /account-tool/main/account-tool/main
Simple service ticket-only authenticationSimple service ticket-only authenticationTakes advantage of single sign-onTakes advantage of single sign-on
Email Account Configuration ToolEmail Account Configuration Tool
https://secure.its.yale.edu/cas/login?service= https://secure.its.yale.edu/cas/login?service= https://config.mail.yale.edu/account-tool/main https://config.mail.yale.edu/account-tool/main
Email Account Configuration ToolEmail Account Configuration Tool
Meeting MakerMeeting Maker
Meeting MakerMeeting Maker
Meeting Maker, Inc. provides a Java API Meeting Maker, Inc. provides a Java API to access calendaring datato access calendaring data
A Java servlet uses the API to retrieve A Java servlet uses the API to retrieve data and provide an XML feed to the portaldata and provide an XML feed to the portal
The servlet doesn’t know about the user’s The servlet doesn’t know about the user’s MM password – it uses a master MM MM password – it uses a master MM server password to access the dataserver password to access the data
Meeting MakerMeeting Maker
MeetingMakerServlet
uPortalMeetingMakerServer XML
MM admin PW
CAS
PT
PT S
NetID
ProxyID
NetID
MM data
PT
PGT
S
Meeting MakerMeeting Maker
Channel authentication performed through Channel authentication performed through CAS Java Servlet filter (included in CAS CAS Java Servlet filter (included in CAS client library)client library)
uPortal’s CAS proxy callback URL uPortal’s CAS proxy callback URL configured in web application’s configured in web application’s deployment descriptor:deployment descriptor:
<init-param><init-param> <param-name>edu.yale.its.tp.cas.client.filter.authorizedProxy</param-name><param-name>edu.yale.its.tp.cas.client.filter.authorizedProxy</param-name> <param-value>https://portal.yale.edu/CasProxyServlet</param-value><param-value>https://portal.yale.edu/CasProxyServlet</param-value></init-param></init-param>
Recent Email ChannelRecent Email Channel
Recent Email ChannelRecent Email Channel
Displays 10 most recent email messagesDisplays 10 most recent email messagesMulti-tier CAS proxy authenticationMulti-tier CAS proxy authenticationSame design as Meeting MakerSame design as Meeting Maker
servlet pulls data from back-end source, servlet pulls data from back-end source, returns as XMLreturns as XML
Different authentication from MMDifferent authentication from MM IMAP server accepts CAS proxy tickets and IMAP server accepts CAS proxy tickets and
validates them with the CAS PAM modulevalidates them with the CAS PAM module
Recent Email ChannelRecent Email Channel
EmailServlet uPortal
IMAPServer
CAS
PT
PGT
S
Recent Email ChannelRecent Email Channel
EmailServlet uPortal
IMAPServer
CAS
PT
PT
NetIDProxyID
S
PGTURL
PGTIOUPGT
Recent Email ChannelRecent Email Channel
EmailServlet uPortal
IMAPServer
XML
CAS
PGT
PT
NetID
IMAP session
S
PT
PT
NetID
ProxyIDs
Recent Email ChannelRecent Email Channel
Can’t use CAS filter because it must Can’t use CAS filter because it must obtain proxy tickets to pass to IMAPobtain proxy tickets to pass to IMAP
Uses the CAS ProxyTicketValidator for Uses the CAS ProxyTicketValidator for authentication (included with CAS client authentication (included with CAS client library)library)getProxyTicket()getProxyTicket()
Current beta of CAS filter provides support Current beta of CAS filter provides support for acquiring proxy ticketsfor acquiring proxy tickets
SummarySummary
Simple CAS authenticationSimple CAS authentication
n-tier authentication problemn-tier authentication problem
CAS’s solution: Proxy CASCAS’s solution: Proxy CAS
uPortal and CAS Security ProvideruPortal and CAS Security Provider
SummarySummary
uPortal, CAS, and other applicationsuPortal, CAS, and other applicationsSimple service ticket authenticationSimple service ticket authentication
IMP WebmailIMP WebmailEmail Account Configuration ToolEmail Account Configuration Tool
Single-layer proxy ticket authenticationSingle-layer proxy ticket authenticationMeeting MakerMeeting Maker
Multi-layer proxy ticket authenticationMulti-layer proxy ticket authenticationRecent Email ChannelRecent Email Channel
Questions?Questions?
For more informationFor more information
Drew Mazurek <[email protected]>Drew Mazurek <[email protected]> CAS Web SiteCAS Web Site
http://www.yale.edu/tp/cashttp://www.yale.edu/tp/cas CAS Mailing ListCAS Mailing List
[email protected]@tp.its.yale.eduhttp://tp.its.yale.edu/mailman/listinfo/cashttp://tp.its.yale.edu/mailman/listinfo/cas
This presentationThis presentationhttp://www.yale.edu/tp/cas/cas-jasig-2004.ppthttp://www.yale.edu/tp/cas/cas-jasig-2004.ppthttp://www.yale.edu/tp/cas/cas-jasig-2004.htmhttp://www.yale.edu/tp/cas/cas-jasig-2004.htm