ClearPassA CAS Extension Enabling

Credential Replay

Andrew PetroUnicon, Inc.

Jasig 2010San Diego, CA09 March 2010

© Copyright Unicon, Inc., 2008-2010. Some rights reserved. This work is licensed under aCreative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/

http://www.ja-sig.org/wiki/display/CASUM/ClearPass

2

Disclaimers

Personal Opinions are my ownOpinions herein are my own, and are not necessarily those of my employer, of Jasig, of the Jasig CAS steering committee, or of anyone else.

CC-NC-SA Disclaims WarrantyCreative Commons licenses have some fantastic language for disclaiming warranties. That's in part why speakers use them.

3

Agenda

1. What is ClearPass?

2. How does ClearPass work?

3. uPortal example

4. Outlook Web Access example

5. Continued adoption in new environments

6. Questions?

4

What is ClearPass?

5

ClearPass

● Free and Open Source Software● Extending CAS to...

– capture the end user's password at login

– And selectively release this password to authorized applications

● Like, say, an enterprise portal

6

Whence?

● Developed by Unicon for Sacramento State University and released as Free and Open Source Software

● Updated by Scott Battaglia via effort funded through Unicon's Cooperative Support for CAS Cooperative Development program

7

Concretely, what?

● Extensions to Jasig CAS to capture and expose credentials

● Extensions to Jasig uPortal to consume the credentials

● https://www.ja-sig.org/svn/cas-extensions/clearpass/

8

Wait, wait. Timeout.

http://www.flickr.com/photos/rollerfan/3052241108

9

Say what?

● Did I say ClearPass is an extension for releasing the end user's password???

● That sounds like a really bad idea.

10

Why would you want to release end user credentials?

Healthy skepticism is warranted.

11

Passwords are such useful things

● Have you ever given anyone your password?– To anything?

http://www.flickr.com/photos/bulldogsrule/512916347http://creativecommons.org/licenses/by-nc-nd/2.0/

12

Two purposes

● End-user single sign on● N-tier application-to-application-on-behalf-of-

user authentication

13

Delete your login forms.

14

Apps do not touch passwords

CAS

15

Greater than zero effort

16

Difficult to CASify

17

N-tier authentication

● User authenticates to Application 1● Application 1 authenticates to Application 2

on behalf of User

● How to accomplish this?

18

Options for N-Tier AuthN

● Principled Enterprise SSO regimes with Delegation

● Application-to-application authentication methods with assertion of user identity

● Direct use of end-user credentials

19

Passwords are such useful things

20

MailPortlet

21

After all, why is this hard?

22

Why ClearPass?

● End-user single sign on to difficult-to-CASify Web applications

● N-tier application-to-application-on-behalf-of-user authentication to difficult-to-CASify services

23

How does ClearPass work?

But first, an aside

24

How does Proxy CAS work?

An aside necessary to understand how ClearPass works

25

How CAS Works

Webapplication

CAS

Webbrowser

S

C

T

S T

NetID

26

CAS 2.0: Proxy CAS

Webapplication

CAS

Webbrowser

S

C

ST

S T

NetID

PGTURL

PGTIOU

PGTIOUPGT

https listener•

27

CAS 2.0: Proxy CAS

Webapplication

CAS

Webbrowser

Back-endapplication

S PGT

PT

PT PT S

NetID

PGTURL

Data

28

Proxiable credentials illustrated

IMP CAS

S TIMAP serverCAS PAM

modulePGT

PGT

PT

PT

PT

-Username

-Identity of web resource

29

How does ClearPass work?

Now that we've reviewed Proxy CAS, we can talk about this.

30

ClearPass CAS Extensions

● Capture the password at login● Cache the password● Release the password to authorized

applications

31

Capture password at login

● In a perhaps too-clever way– AuthenticationMetaDataPopulator

● But minimally invasive

32

Declaring the Cacher

<bean

class="org.jasig.cas3.extensions.clearpass.CacheCredentia

lsMetaDataPopulator">

<constructor-arg index="0" ref="credentialsCache" />

</bean>

33

Declaring and injecting

<property name="authenticationMetaDataPopulators">

<list>

<bean

class="org.jasig.cas3.extensions.clearpass.CacheCredentia

lsMetaDataPopulator">

<constructor-arg index="0"

ref="credentialsCache" />

</bean>

</list>

</property>

34

Cache the password

● In an EhCache– So this cache can be shared across CAS server

instances in a cluster

– Can also be just in-memory

35

Expose the password

● Adds a controller

36

ClearPassController

public ModelAndView handleRequestInternal(request, res) {

final String userName = request.getRemoteUser();

if (userName != null) {

final String password =

this.credentialsCache.get(userName);

return new ModelAndView(this.successView,

MODEL_CLEARPASS, password);

}

return returnError("No authentication information

provided.");

}

37

Response from /clearpass endpoint

<cas:clearPassResponse

xmlns:cas='http://www.yale.edu/tp/cas'>

<cas:clearPassSuccess>

<cas:credentials>actual_password</cas:credentials>

</cas:clearPassSuccess>

</cas:clearPassResponse>

38

Response from /clearpass endpoint

<cas:clearPassResponse

xmlns:cas='http://www.yale.edu/tp/cas'>

<cas:clearPassSuccess>

<cas:credentials>actual_password</cas:credentials>

</cas:clearPassSuccess>

</cas:clearPassResponse>

39

Wait, the password's in the clear?

● Well, no, not really.● Clearpass callback URL is

– Accessed via HTTPS

– Request authenticated via Proxy CAS Ticket

40

Response from /clearpass endpoint

<cas:clearPassResponse

xmlns:cas='http://www.yale.edu/tp/cas'>

<cas:clearPassSuccess>

<cas:credentials>actual_password</cas:credentials>

</cas:clearPassSuccess>

</cas:clearPassResponse>

41

clearPassSuccess.jsp

<%@ page session="false" %>

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"

%>

<%@ taglib uri="http://java.sun.com/jsp/jstl/functions"

prefix="fn" %>

<cas:clearPassResponse xmlns:cas='http://www.yale.edu/tp/cas'>

<cas:clearPassSuccess>

<cas:credentials>$

{fn:escapeXml(credentials)}</cas:credentials>

</cas:clearPassSuccess>

</cas:clearPassResponse>

42

Wait, the password's in the clear?

● Well, no, not really.● Clearpass callback URL is

– Accessed via HTTPS

– Request authenticated via Proxy CAS Ticket

43

Authenticating to ClearPass

● How do applications authenticate to CAS ClearPass to get the password?– Need to authenticate both the application and

participation in a CAS single sign on session

44

Authenticated via PT!

● Use the Jasig CAS Client library itself to authenticate applications to the ClearPass CAS extension!

45

Uses Jasig Java CAS Client

<filter-mapping>

<filter-name>CAS Validation Filter</filter-name>

<url-pattern>/clearPass</url-pattern>

</filter-mapping>

<filter-mapping>

<filter-name>CAS HttpServletRequest Wrapper Filter</filter-

name>

<url-pattern>/clearPass</url-pattern>

</filter-mapping>

46

Uses Jasig Java CAS Client

<filter> <filter-

class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicke

tValidationFilter</filter-class>

<init-param>

<param-name>serverName</param-name>

<param-value>https://my.clearpass.cas.instance/</param-

value>

</init-param>

<init-param>

<param-name>allowedProxyChains</param-name>

<param-

value>http://my.uportal.edu/CasProxyServlet</param-value>

</init-param> </filter>

47

CAS 2.0: Proxy CAS

Webapplication

CAS

Webbrowser

Back-endapplication

S PGT

PT

PT PT S

NetID

PGTURL

Data

48

CAS 2.0: Proxy CAS

Webapplication

CAS

Webbrowser

CAS ClearPass

S PGT

PT

PT PT S

NetID

PGTURL

Password

49

uPortal Example

Portal

Password Replay

Password-Protected Service

Password-Protected Service

Password-Protected Service

Channel

Channel

Channel

PW

PW

PW

PW

PW

PW

PW

PW

PW

PW

PW

Portal

Password Replay

Password-Protected Service

Password-Protected Service

Password-Protected Service

Portlet

Portlet

Portlet

PW

PW

PW

PW

PW

PW

PW

PW

PW

PW

PW

52

ClearPass uPortal module

● https://www.ja-sig.org/svn/cas-extensions/clearpass/tags/clearpass_1_0_0_ga/clearpass-integration-uportal/

● Plugin for uPortal's SecurityContext API● Implements Password Caching API (supports

password replay)● Implements CAS API (supports CAS proxy

tickets)

Portal

Password Replay Alongside PTs

Password-Protected Service

Password-Protected Service

CAS-Protected Service

Portlet

Portlet

Portlet

PWFrom ClearPassAnd PGT from CAS

PW

PW

PW

PT

PW

PW

PT

PW

PW

PT

PGT

54

Portlets that (can) replay passwords

55

Portlets that can use passwords...

● Email preview● Calendar preview● Toro Gateway SSO portlet (for credential

replay through login forms to achieve end-user SSO experience)

● Web Proxy Portlet● Your portlet

56

Password as just an attribute

● A special, important attribute● But just a standard JSR 168 user attribute● Portlet doesn't care whether it came from

ClearPass

57

SSO into Datatel WebAdvisor

● http://www.ja-sig.org/wiki/display/CASC/CASifying+WebAdvisor● ClearPass● uPortal● Toro Gateway SSO portlet

58

(There's more to this story)

● (Apparently Datatel WebAdvisor has an optional add-on product enabling SSO?)

● (So that might be a better option?)● (But probably incurs license fees and uses

proprietary software?)

59

Outlook Web Access example

60

Free Software alternatives to OWA

● While ClearPass-infused heroics can be applied to CASify Outlook Web Access...

● You could instead use something under an Open Source license...

61

Bill Thompson (!) 's Solution

● http://github.com/wgthom/CasOwa

62

CasOwaAuthHandler.cs

● Handles an HTTP request● Obtains a Proxy Ticket to CAS/clearpass● Uses PT to obtain password from

CAS/clearpass● Uses password to internally POST to OWA

login form, reading resulting session cookies● Sends session cookies back to end user

browser (works since running in OWA)● Redirects browser to OWA

63

Liferay example

64

Bill Thompson(!) forum post

● http://bit.ly/

liferay_jasig_cas_client_forum_discussion

65

Liferay 5 extensions

● http://github.com/wgthom/Cas3Liferay5● Use Jasig Java CAS Client library● Obtain PT● Use PT to obtain Password from ClearPass● Place password into session where Liferay

expects it● Portlets use it as normal

66

How ClearPass Fits

67

ClearPass

● Enables incremental adoption of Enterprise SSO

● Adopt CAS SSO● Use ClearPass to enable legacy integrations● Use CAS and CAS delegated authentication

wherever you can● Improvement: incrementally, less

proliferation of passwords and use of passwords

68

ClearPass Future

Subtitle (optional)

69

Encrypt the password at rest?

70

What about multiple passwords?

● Represent as different ClearPass callback URLs?

71

Questions & Answers & Discussion

Andrew PetroSoftware DeveloperUnicon, Inc.

apetro@unicon.netwww.unicon.net/blog/apetro

72

License and Copyleft

© Copyright Unicon, Inc., 2008-2010. Some rights © Copyright Unicon, Inc., 2008-2010. Some rights reserved. This work is licensed under areserved. This work is licensed under a

Creative Commons Attribution-Noncommercial-Share Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.Alike 3.0 United States License.

To view a copy of this license, visit To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/http://creativecommons.org/licenses/by-nc-sa/3.0/us/

73

Acknowledgments

● Bill Thompson for his excellent work developing and documenting Liferay extensions to use Jasig Java CAS Client 3 and ClearPass and OWA extensions to rely upon ClearPass for SSO into OWA.

● http://www.flickr.com/photos/rollerfan/3052241108 (Roller derby timeout image; CC-NC 2.0)