Download CAS: The Yale Central Authentication Service

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
Document related concepts

Actuary wikipedia , lookup

Authentication wikipedia , lookup

HTTPS wikipedia , lookup

3-D Secure wikipedia , lookup

Certificate authority wikipedia , lookup

Transcript 
uPortal and the Yale Central
Authentication Service
Drew Mazurek
ITS Technology & Planning
Yale University
JA-SIG Summer Conference ‘04
Denver, CO
June 21, 2004
What’s coming up…

CAS overview

n-tier authentication problem

uPortal and CAS integration

CAS channel examples

Questions

Discussion
CAS in a nutshell
Browser
Web application
How CAS Works
S
Web
application
T
CAS
NetID
S
T
Web
browser
C
n-tier authentication problem
Channel
Portal
n-tier authentication problem
Password caching
PW
PW
PW
Passwordprotected
service
PW
Channel
PW
PW
PW
Channel
Passwordprotected
service
PW
PW
Portal
Channel
PW
Passwordprotected
service
PW
n-tier authentication problem
uPortal can authenticate users securely
with CAS
 But it does not know about users’ primary
credentials
 This is a good thing, except uPortal can’t
impersonate the user in order to acquire
secure data for the user

CAS 2.0: Proxy CAS
PGT PGTIOU
•
https listener
Web
application
S
T PGTURL
CAS
NetID
PGTIOU
S
ST
Web
browser
C
CAS 2.0: Proxy CAS
NetID
PGTURL
PT S
PT
Back-end
application
S PGT
Data
Web
application
CAS
PT
Web
browser
CAS Security Provider
Uses CAS for primary authentication
 Uses the CAS ProxyTicketReceptor
servlet included with CAS Client
distribution
 Exposes a public method to channels to
get a proxy ticket for a particular service
 Back-end systems must be configured to
accept and validate proxy credentials from
uPortal

uPortal with
CAS Provider
PT
Channel
resource
Channel
getCasServiceToken
PT
CAS
Security
Context
T
PGTURL
PGT IOU
CAS
getProxyTicket(pgtIou,service)
PT
CAS
Ticket
Receptor
Servlet
PGT PGT IOU
PGT
PT
CAS, uPortal, and other
applications at Yale

Simple service-ticket authentication
IMP webmail
 Email Account Configuration Tool


Single-tier proxy-ticket authentication


Meeting Maker
Multi-tier proxy-ticket authentication

Recent Email Channel
IMP Webmail
https://www.mail.yale.edu:8444/horde/imp/redirect_cas
.php?url=mailbox.php%3Dview_message%3F97552
IMP Webmail
IMP Webmail
1.
User clicks on link in Recent Email
channel
IMP Webmail
1.
2.
User clicks on link in Recent Email
channel
New browser window opens, going to
https://www.mail.yale.edu:8444/horde
/imp/redirect_cas.php?url=mailbox.php%
3Fview_message%3D97552
IMP Webmail
1.
2.
3.
User clicks on link in Recent Email
channel
New browser window opens, going to
https://www.mail.yale.edu:8444/horde
/imp/redirect_cas.php?url=mailbox.php%
3Fview_message%3D97552
IMP stores destination URL/message as
session variable, and redirects the
browser to CAS
IMP Webmail
4.
Upon return from CAS, IMP validates
CAS service ticket and then shows the
requested email message
IMP Webmail
4.
Upon return from CAS, IMP validates
CAS service ticket and then shows the
requested email message

But how is the user authenticated to the
IMAP server?
IMP Webmail
4.
Upon return from CAS, IMP validates
CAS service ticket and then shows the
requested email message

But how is the user authenticated to the
IMAP server?

IMP normally wants to replay cached
primary credentials
IMP Webmail – CAS PAM module
IMAP server
CAS PAM
module
ST
PGT
PT
IMP
CAS
PGT
PT
PT
- NetID
- IMP’s proxy callback URL
(unique ID)
Email Account Configuration Tool
Configures aspects of Yale email accounts
including mail forwarding, filtering, and
spam management
 CASified one year ago

Email Account Configuration Tool
Linked in uPortal as:
https://secure.its.yale.edu/cas/login
?service=https://config.mail.yale.edu
/account-tool/main

Email Account Configuration Tool
Linked in uPortal as:
https://secure.its.yale.edu/cas/login
?service=https://config.mail.yale.edu
/account-tool/main
 Simple service ticket-only authentication

Email Account Configuration Tool
Linked in uPortal as:
https://secure.its.yale.edu/cas/login
?service=https://config.mail.yale.edu
/account-tool/main
 Simple service ticket-only authentication
 Takes advantage of single sign-on

Email Account Configuration Tool
https://secure.its.yale.edu/cas/login?service=
https://config.mail.yale.edu/account-tool/main
Email Account Configuration Tool
Meeting Maker
Meeting Maker
Meeting Maker, Inc. provides a Java API to
access calendaring data
 A Java servlet uses the API to retrieve
data and provide an XML feed to the portal
 The servlet doesn’t know about the user’s
MM password – it uses a master MM
server password to access the data

Meeting Maker
CAS
NetID
ProxyID
Meeting
Maker
Server
MM admin PW
NetID
MM data
PT
Meeting
Maker
Servlet
S
PT
uPortal
XML
Meeting Maker
Channel authentication performed through
CAS Java Servlet filter (included in CAS
client library)
 uPortal’s CAS proxy callback URL
configured in web application’s
deployment descriptor:

<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.authorizedProxy</param-name>
<param-value>https://portal.yale.edu/CasProxyServlet</param-value>
</init-param>
Recent Email Channel
Recent Email Channel
Displays 10 most recent email messages
 Multi-tier CAS proxy authentication
 Same design as Meeting Maker



servlet pulls data from back-end source,
returns as XML
Different authentication from MM

IMAP server accepts CAS proxy tickets and
validates them with the CAS PAM module
Recent Email Channel
CAS
IMAP
Server
Email
Servlet
uPortal
Recent Email Channel
CAS
PGT
NetID
ProxyID
PGTIOU
PGTURL
PT
S
PT
IMAP
Server
Email
Servlet
uPortal
Recent Email Channel
CAS
PT
PGT S
IMAP
Server
PT
NetID
IMAP session
Email
Servlet
uPortal
XML
Recent Email Channel
Can’t use CAS filter because it must
obtain proxy tickets to pass to IMAP
 Uses the CAS ProxyTicketValidator for
authentication (included with CAS client
library)



getProxyTicket()
Current beta of CAS filter provides support
for acquiring proxy tickets
Summary

Simple CAS authentication

n-tier authentication problem

CAS’s solution: Proxy CAS

uPortal and CAS Security Provider
Summary

uPortal, CAS, and other applications

Simple service ticket authentication
 IMP
Webmail
 Email Account Configuration Tool

Single-layer proxy ticket authentication
 Meeting

Maker
Multi-layer proxy ticket authentication
 Recent
Email Channel
Questions?
For more information
Drew Mazurek <[email protected]>
 CAS Web Site



http://www.yale.edu/tp/cas
CAS Mailing List
[email protected]
 http://tp.its.yale.edu/mailman/listinfo/cas


This presentation
http://www.yale.edu/tp/cas/cas-jasig-2004.ppt
 http://www.yale.edu/tp/cas/cas-jasig-2004.htm

Related documents
Community Schools - New York State Unified Court System
Community Schools - New York State Unified Court System
Document
Document
gamma-Mangostin
gamma-Mangostin
Complex Adaptive Systems Approach
Complex Adaptive Systems Approach
Diversity Leadership
Diversity Leadership
sara title iii - American Niagara
sara title iii - American Niagara
Long
Long
Communications topics - College of Agricultural Sciences | | Oregon
Communications topics - College of Agricultural Sciences | | Oregon
MATERIAL SAFETY DATA SHEET - Sisco Research Laboratories
MATERIAL SAFETY DATA SHEET - Sisco Research Laboratories
4208804-AT-LC50-F-pimpro
4208804-AT-LC50-F-pimpro