Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
uPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June 21, 2004 What’s coming up… CAS overview n-tier authentication problem uPortal and CAS integration CAS channel examples Questions Discussion CAS in a nutshell Browser Web application How CAS Works S Web application T CAS NetID S T Web browser C n-tier authentication problem Channel Portal n-tier authentication problem Password caching PW PW PW Passwordprotected service PW Channel PW PW PW Channel Passwordprotected service PW PW Portal Channel PW Passwordprotected service PW n-tier authentication problem uPortal can authenticate users securely with CAS But it does not know about users’ primary credentials This is a good thing, except uPortal can’t impersonate the user in order to acquire secure data for the user CAS 2.0: Proxy CAS PGT PGTIOU • https listener Web application S T PGTURL CAS NetID PGTIOU S ST Web browser C CAS 2.0: Proxy CAS NetID PGTURL PT S PT Back-end application S PGT Data Web application CAS PT Web browser CAS Security Provider Uses CAS for primary authentication Uses the CAS ProxyTicketReceptor servlet included with CAS Client distribution Exposes a public method to channels to get a proxy ticket for a particular service Back-end systems must be configured to accept and validate proxy credentials from uPortal uPortal with CAS Provider PT Channel resource Channel getCasServiceToken PT CAS Security Context T PGTURL PGT IOU CAS getProxyTicket(pgtIou,service) PT CAS Ticket Receptor Servlet PGT PGT IOU PGT PT CAS, uPortal, and other applications at Yale Simple service-ticket authentication IMP webmail Email Account Configuration Tool Single-tier proxy-ticket authentication Meeting Maker Multi-tier proxy-ticket authentication Recent Email Channel IMP Webmail https://www.mail.yale.edu:8444/horde/imp/redirect_cas .php?url=mailbox.php%3Dview_message%3F97552 IMP Webmail IMP Webmail 1. User clicks on link in Recent Email channel IMP Webmail 1. 2. User clicks on link in Recent Email channel New browser window opens, going to https://www.mail.yale.edu:8444/horde /imp/redirect_cas.php?url=mailbox.php% 3Fview_message%3D97552 IMP Webmail 1. 2. 3. User clicks on link in Recent Email channel New browser window opens, going to https://www.mail.yale.edu:8444/horde /imp/redirect_cas.php?url=mailbox.php% 3Fview_message%3D97552 IMP stores destination URL/message as session variable, and redirects the browser to CAS IMP Webmail 4. Upon return from CAS, IMP validates CAS service ticket and then shows the requested email message IMP Webmail 4. Upon return from CAS, IMP validates CAS service ticket and then shows the requested email message But how is the user authenticated to the IMAP server? IMP Webmail 4. Upon return from CAS, IMP validates CAS service ticket and then shows the requested email message But how is the user authenticated to the IMAP server? IMP normally wants to replay cached primary credentials IMP Webmail – CAS PAM module IMAP server CAS PAM module ST PGT PT IMP CAS PGT PT PT - NetID - IMP’s proxy callback URL (unique ID) Email Account Configuration Tool Configures aspects of Yale email accounts including mail forwarding, filtering, and spam management CASified one year ago Email Account Configuration Tool Linked in uPortal as: https://secure.its.yale.edu/cas/login ?service=https://config.mail.yale.edu /account-tool/main Email Account Configuration Tool Linked in uPortal as: https://secure.its.yale.edu/cas/login ?service=https://config.mail.yale.edu /account-tool/main Simple service ticket-only authentication Email Account Configuration Tool Linked in uPortal as: https://secure.its.yale.edu/cas/login ?service=https://config.mail.yale.edu /account-tool/main Simple service ticket-only authentication Takes advantage of single sign-on Email Account Configuration Tool https://secure.its.yale.edu/cas/login?service= https://config.mail.yale.edu/account-tool/main Email Account Configuration Tool Meeting Maker Meeting Maker Meeting Maker, Inc. provides a Java API to access calendaring data A Java servlet uses the API to retrieve data and provide an XML feed to the portal The servlet doesn’t know about the user’s MM password – it uses a master MM server password to access the data Meeting Maker CAS NetID ProxyID Meeting Maker Server MM admin PW NetID MM data PT Meeting Maker Servlet S PT uPortal XML Meeting Maker Channel authentication performed through CAS Java Servlet filter (included in CAS client library) uPortal’s CAS proxy callback URL configured in web application’s deployment descriptor: <init-param> <param-name>edu.yale.its.tp.cas.client.filter.authorizedProxy</param-name> <param-value>https://portal.yale.edu/CasProxyServlet</param-value> </init-param> Recent Email Channel Recent Email Channel Displays 10 most recent email messages Multi-tier CAS proxy authentication Same design as Meeting Maker servlet pulls data from back-end source, returns as XML Different authentication from MM IMAP server accepts CAS proxy tickets and validates them with the CAS PAM module Recent Email Channel CAS IMAP Server Email Servlet uPortal Recent Email Channel CAS PGT NetID ProxyID PGTIOU PGTURL PT S PT IMAP Server Email Servlet uPortal Recent Email Channel CAS PT PGT S IMAP Server PT NetID IMAP session Email Servlet uPortal XML Recent Email Channel Can’t use CAS filter because it must obtain proxy tickets to pass to IMAP Uses the CAS ProxyTicketValidator for authentication (included with CAS client library) getProxyTicket() Current beta of CAS filter provides support for acquiring proxy tickets Summary Simple CAS authentication n-tier authentication problem CAS’s solution: Proxy CAS uPortal and CAS Security Provider Summary uPortal, CAS, and other applications Simple service ticket authentication IMP Webmail Email Account Configuration Tool Single-layer proxy ticket authentication Meeting Maker Multi-layer proxy ticket authentication Recent Email Channel Questions? For more information Drew Mazurek <[email protected]> CAS Web Site http://www.yale.edu/tp/cas CAS Mailing List [email protected] http://tp.its.yale.edu/mailman/listinfo/cas This presentation http://www.yale.edu/tp/cas/cas-jasig-2004.ppt http://www.yale.edu/tp/cas/cas-jasig-2004.htm