central authentication service roadmap ja-sig winter 2004
TRANSCRIPT
![Page 1: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/1.jpg)
Central Authentication Central Authentication ServiceService
RoadmapRoadmap
JA-SIG Winter 2004JA-SIG Winter 2004
![Page 2: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/2.jpg)
A new CAS PresentationA new CAS Presentation
What is CAS? (Enterprise Single Sign On)What is CAS? (Enterprise Single Sign On)What’s new with CAS? (new CAS Java What’s new with CAS? (new CAS Java
Client)Client)What’s using CAS? (Acegi)What’s using CAS? (Acegi)Where is CAS going? (Roadmap)Where is CAS going? (Roadmap)Resources?Resources?
![Page 3: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/3.jpg)
What is CAS?What is CAS?
Enterprise Web Single-sign-onEnterprise Web Single-sign-onYour users authenticate to CASYour users authenticate to CAS
Only CAS sees user passwordsOnly CAS sees user passwordsYour applications receive assurance of Your applications receive assurance of
authentication from CASauthentication from CAS
![Page 4: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/4.jpg)
CAS as TrustedCAS as Trusted
CAS is the Trusted IntermediaryCAS is the Trusted Intermediary
![Page 5: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/5.jpg)
The Bad Old DaysThe Bad Old Days
![Page 6: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/6.jpg)
Log in to each applicationLog in to each applicationApplication A Application B Application C
Application D Application E Application F
![Page 7: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/7.jpg)
ExamplesExamples
We’re going to walk through two examples We’re going to walk through two examples demonstrating CAS’s features.demonstrating CAS’s features.
![Page 8: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/8.jpg)
Example: Network registrationExample: Network registration
Welcome to Our University Network Welcome to Our University Network Registration.Registration.
First, you need to log in:First, you need to log in:
![Page 9: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/9.jpg)
CAS LoginCAS Login
![Page 10: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/10.jpg)
CAS redirects back to CAS redirects back to applicationapplication
Places ticket=ABCDEFG123 on the Places ticket=ABCDEFG123 on the requestrequest
![Page 11: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/11.jpg)
Application receives ticketApplication receives ticket
Validates ticket with CAS serverValidates ticket with CAS server
<cas:serviceResponse <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:authenticationSuccess> <cas:user>awp9</cas:user> <cas:user>awp9</cas:user> </cas:authenticationSuccess></cas:authenticationSuccess>
</cas:serviceResponse> </cas:serviceResponse>
![Page 12: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/12.jpg)
Okay, user is authenticatedOkay, user is authenticated
Notice: The user didn’t give her password Notice: The user didn’t give her password to the application itself.to the application itself.
![Page 13: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/13.jpg)
CAS VocabularyCAS Vocabulary
Ticket – it’s longish random String.Ticket – it’s longish random String.Ticket Granting Ticket / Ticket Granting Ticket Granting Ticket / Ticket Granting
Cookie – a CAS session identifierCookie – a CAS session identifier
Service TicketService TicketProxy Granting TicketProxy Granting TicketProxy TicketProxy Ticket
![Page 14: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/14.jpg)
Example 2: uPortal & SSOExample 2: uPortal & SSO
Great, we’ve authenticated. Now let’s visit Great, we’ve authenticated. Now let’s visit our uPortal:our uPortal:
![Page 15: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/15.jpg)
CAS does not displayCAS does not display
Reads the secure cookie from the browser Reads the secure cookie from the browser session.session.
Single sign on.Single sign on.Redirects back to uPortal with the ticket.Redirects back to uPortal with the ticket.
![Page 16: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/16.jpg)
uPortal validates the ticketuPortal validates the ticket
And requests a Proxy Granting Ticket.And requests a Proxy Granting Ticket.
![Page 17: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/17.jpg)
Authenticated to uPortalAuthenticated to uPortal
![Page 18: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/18.jpg)
Proxying to get my mailProxying to get my mail
uPortal uses PGT to get PT for mail XML uPortal uses PGT to get PT for mail XML service, requests mail XML serviceservice, requests mail XML service
Mail XML service receives PT, validates it, Mail XML service receives PT, validates it, and gets a PGT.and gets a PGT.
Mail XML service gets PT for IMAP server, Mail XML service gets PT for IMAP server, presents to IMAP server.presents to IMAP server.
IMAP server delegates to PAM_CAS to IMAP server delegates to PAM_CAS to validate the PT.validate the PT.
![Page 19: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/19.jpg)
The resultThe result
![Page 20: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/20.jpg)
Recent Email ChannelRecent Email Channel
EmailServlet uPortal
IMAPServer
XML
CAS
PGT
PT
NetID
IMAP session
S
PT
PT
NetID
ProxyIDs
![Page 21: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/21.jpg)
What is CAS?What is CAS?
CAS is web SSO.CAS is web SSO.CAS is a concrete (Java Servlets) CAS is a concrete (Java Servlets)
implementation.implementation.CAS is a constellation of client libraries, CAS is a constellation of client libraries,
including PAM, Apache modules, including PAM, Apache modules, Java .jars, php, perl, …Java .jars, php, perl, …
![Page 22: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/22.jpg)
What’s new? CAS Java ClientWhat’s new? CAS Java Client
Version 2.1.0Version 2.1.0
![Page 23: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/23.jpg)
CASFilterCASFilter
CAS Java Servlet FilterCAS Java Servlet Filter
Renew and Gateway featuresRenew and Gateway featuresOptionally set the remoteUserOptionally set the remoteUserAllows multiple authorized proxiesAllows multiple authorized proxies
![Page 24: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/24.jpg)
CASReceiptCASReceipt
CASReceipt represents results from CAS CASReceipt represents results from CAS authenticationauthentication
Exposed in the session by CASFilterExposed in the session by CASFilter
![Page 25: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/25.jpg)
Filter CompositionFilter Composition
Subsequent filters can examine the results Subsequent filters can examine the results of CAS authentication:of CAS authentication:
ProxyChainScrutinizerFilterProxyChainScrutinizerFilter
![Page 26: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/26.jpg)
Commons loggingCommons logging
CAS Java Client 2.1.xCAS Java Client 2.1.x
![Page 27: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/27.jpg)
uPortal: uPortal: YaleCASFilteredContextYaleCASFilteredContext
Use CASValidateFilter to accomplish the Use CASValidateFilter to accomplish the actual ticket validation – actual ticket validation – YaleCASFilteredContext just consumes YaleCASFilteredContext just consumes the CASReceipt.the CASReceipt.
![Page 28: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/28.jpg)
The approachThe approach
CASFilter
Additional filtering
Your application
![Page 29: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/29.jpg)
What’s new: AcegiWhat’s new: Acegi
![Page 30: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/30.jpg)
What’s new: AcegiWhat’s new: Acegi
Acegi is an authentication/authorization Acegi is an authentication/authorization framework that works well with Springframework that works well with Spring
It supports CAS for enterprise single sign It supports CAS for enterprise single sign onon
A layer of abstraction beyond the CAS A layer of abstraction beyond the CAS Java Client.Java Client.
![Page 31: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/31.jpg)
RoadmapRoadmap
Where is CAS going?Where is CAS going?
Formalization of CAS protocolFormalization of CAS protocolSAML as the language for CAS requests SAML as the language for CAS requests
and responsesand responses Interface-rich, more pluggable server Interface-rich, more pluggable server
implementationimplementation
![Page 32: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/32.jpg)
Formalization of CAS protocolFormalization of CAS protocol
Before CAS can be re-implemented, we Before CAS can be re-implemented, we need a formal specification of exactly what need a formal specification of exactly what protocol it implemented the first time.protocol it implemented the first time.
![Page 33: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/33.jpg)
SAMLSAML
CAS 2.0 uses ad-hoc XML. This was CAS 2.0 uses ad-hoc XML. This was simple, worked well.simple, worked well.
CAS 3.0 will additionally support SAML. CAS 3.0 will additionally support SAML. More complex, but more standards More complex, but more standards compliant.compliant.
CAS as the authentication piece in a CAS as the authentication piece in a Shibboleth installation.Shibboleth installation.
![Page 34: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/34.jpg)
AssertionsAssertions
CAS SAML assertions of who logged in CAS SAML assertions of who logged in how whenhow when
Attribute assertionsAttribute assertionsPGTs are attributes?PGTs are attributes?
Details not yet fully definedDetails not yet fully defined
![Page 35: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/35.jpg)
Attribute assertionsAttribute assertions
Common use case: now that you’ve Common use case: now that you’ve authenticated your user, you want some authenticated your user, you want some attributesattributes
SAML language allows us to assert SAML language allows us to assert attributes other than the user name at attributes other than the user name at ticket validationticket validation
![Page 36: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/36.jpg)
SSL callback and client certsSSL callback and client certs
CAS uses an https: callback to CAS uses an https: callback to authenticate the serviceauthenticate the service
Signed SAML requests provide us an Signed SAML requests provide us an alternativealternative
![Page 37: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/37.jpg)
Interface-rich, more pluggableInterface-rich, more pluggable
Old model: you download CAS and then Old model: you download CAS and then hack away at it to make it meet your hack away at it to make it meet your needs.needs.
New model: you plug in local changes at New model: you plug in local changes at well-defined extension pointswell-defined extension points
![Page 38: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/38.jpg)
Load Balancing CASLoad Balancing CAS
Why not to do thisWhy not to do this
Default: ticket store backed by in-memory Default: ticket store backed by in-memory cachecache
Possible: ticket store backed by RDBMSPossible: ticket store backed by RDBMSPossible: ticket store backed by [pick your Possible: ticket store backed by [pick your
favorite cache implementation]favorite cache implementation]
![Page 39: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/39.jpg)
Whitelisting servicesWhitelisting services
Why not to do thisWhy not to do this
Possible: impose whitelist at ticket Possible: impose whitelist at ticket validation layervalidation layer
![Page 40: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/40.jpg)
Authentication itselfAuthentication itself
CAS PasswordHandlersCAS PasswordHandlers
CasGenericHandler – more ad-hoc XML CasGenericHandler – more ad-hoc XML confgurationconfguration
Instead wire together using SpringInstead wire together using Spring
![Page 41: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/41.jpg)
““Single Sign Out”Single Sign Out”
Why not to do thisWhy not to do this
But if we’re going to do this, let’s at least But if we’re going to do this, let’s at least make it easier to maintain the local modmake it easier to maintain the local mod
Or maybe an optional aspect of the Or maybe an optional aspect of the protocol – standardize without requiringprotocol – standardize without requiring
![Page 42: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/42.jpg)
Extension points?Extension points?
Others?Others?
![Page 43: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/43.jpg)
Rutgers and their fine workRutgers and their fine work
![Page 44: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/44.jpg)
ResourcesResources
New CAS documentation (Wiki)New CAS documentation (Wiki)Active mailing listActive mailing list
The larger CAS communityThe larger CAS community
![Page 45: Central Authentication Service Roadmap JA-SIG Winter 2004](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649c4f5503460f948f7313/html5/thumbnails/45.jpg)
Contact informationContact information
http://www.yale.edu/its/tp/http://www.yale.edu/its/tp/[email protected]@yale.edu
[email protected]@yale.edu
[email protected]@tp.its.yale.edu