Opensource Single SignOn with CAS Central Authentication Service

  • Slides: 27
Download presentation
Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium

Open-source Single Sign-On with CAS • Single Sign-On – Why SSO? – The main

Open-source Single Sign-On with CAS • Single Sign-On – Why SSO? – The main principles of web SSO – The choice of CAS • CAS (Central Authentication Service) – How does it work? – How to CAS-ify applications • Web applications • Non-web applications • Limits • The effort of the ESUP-Portail consortium around CAS

Why Single Sign-On? • Unique accounts but several authentications – Each time users access

Why Single Sign-On? • Unique accounts but several authentications – Each time users access an application • Security (password stealing) – Protect password transmission – Do not transmit passwords to applications • Simplify applications • Delegate developments without delegating authentication • Abstract authentication – LDAP, NIS, database, NT, Active Directory, X 509 certificates, …

SSO: the user’s point of view service app. #1 app. #2 app. #3 web

SSO: the user’s point of view service app. #1 app. #2 app. #3 web browser without SSO app. #1 app. #2 app. #3 web browser with SSO

SSO: principles on the web • Authentication is centralized – One (redundant) authentication server

SSO: principles on the web • Authentication is centralized – One (redundant) authentication server • Transparent HTTP redirections – From applications to the authentication server (when not authenticated) – From the authentication server to applications (when authenticated) • Tokens propagate identities – Cookies, CGI parameters

CAS: why did we choose it? • Security – Password is never transmitted to

CAS: why did we choose it? • Security – Password is never transmitted to applications – Opaque tickets are used • N-tier installations – Without transmitting any password! • Portability (client libraries) – Java, Perl, JSP, ASP, PHP, PL/SQL, Apache and PAM modules • Permanence – Developed by Yale University – World-wide used (mainly Universities) – Adopted by all the French educational community • J 2 EE platform – Very light code (about 1000 lines) • Open source • Integrated into u. Portal

CAS: why did we choose it? user database service app. #2 app. #3 app.

CAS: why did we choose it? user database service app. #2 app. #3 app. #1 app. #2 app. #3 pa ne ss t. Id w or d n pas et. Id sw ord app. #1 user database web browser without SSO with CAS authentication server

CAS: why did we choose it? user database service app. #2 app. #3 app.

CAS: why did we choose it? user database service app. #2 app. #3 app. #1 app. #2 app. #3 pa ne ss t. Id w or d n pas et. Id sw ord app. #1 user database web browser without SSO with CAS authentication server

User authentication HTTPS CAS server web browser

User authentication HTTPS CAS server web browser

User authentication user database net. Id password HTTPS CAS server TGC • TGC: Ticket

User authentication user database net. Id password HTTPS CAS server TGC • TGC: Ticket Granting Cookie – User’s passport to the CAS server – Private and protected cookie (the only one used by CAS, optional) – Opaque re-playable ticket web browser TGC

Accessing an application after authentication • ST: Service Ticket – Browser’s passport to the

Accessing an application after authentication • ST: Service Ticket – Browser’s passport to the CAS client (application) – Opaque and non re-playable ticket – Very limited validity (a few seconds) ID CAS server application ST TGC HTTPS ST ST web browser TGC

Accessing an application after authentication • ST: Service Ticket – Browser’s passport to the

Accessing an application after authentication • ST: Service Ticket – Browser’s passport to the CAS client (application) – Opaque and non re-playable ticket – Very limited validity (a few seconds) ID CAS server application ST TGC HTTPS ST ST • Redirections are transparent to users web browser TGC

Accessing an application without authentication Authentication form HTTPS CAS server web browser application

Accessing an application without authentication Authentication form HTTPS CAS server web browser application

Accessing an application without authentication ID net. Id password HTTPS CAS server application ST

Accessing an application without authentication ID net. Id password HTTPS CAS server application ST TGC ST ST • No need to be previously authenticated to access an application web browser TGC

Remarks • Once a TGC acquired, authentication is transparent for the access to any

Remarks • Once a TGC acquired, authentication is transparent for the access to any CAS-ified application of the workspace • Once authenticated by an application, a session should be used between the browser and the application

CAS-ifying a web application • Use provided libraries • Add a few lines of

CAS-ifying a web application • Use provided libraries • Add a few lines of code • Note: you can also protect static resources – With mod_cas, an Apache module

CAS-ifying a web application • An example using php. CAS (ESUP-Portail) <? php //

CAS-ifying a web application • An example using php. CAS (ESUP-Portail) <? php // include php. CAS library include_once('CAS/CAS. php'); // declare our script as a CAS client php. CAS: : client(CAS_VERSION_2_0, 'auth. univ. fr', 443, ''); // redirect to the CAS server if needed php. CAS: : authenticate. If. Needed(); // at this point, the user is authenticated ? > <h 1>Successfull Authentication!</h 1> <p>User's login: <? php echo php. CAS: : get. User(); ? >. </p>

N-tier installations service CAS server ID PGT ST application (CAS proxy) PGT ST •

N-tier installations service CAS server ID PGT ST application (CAS proxy) PGT ST • PGT: Proxy Granting Ticket web browser TGC – Application’s passport for a user to the CAS server – Opaque and re-playable ticket

N-tier installations service • PT : Proxy Ticket ID PT PT CAS server PT

N-tier installations service • PT : Proxy Ticket ID PT PT CAS server PT – Application’s passport for a user to a tier service – Opaque and non re-playable ticket – Very limited validity PGT application (CAS proxy) PGT ST • PGT: Proxy Granting Ticket web browser TGC – Application’s passport for a user to the CAS server – Opaque and re-playable ticket

CAS-ifying a non web application • One of the strongest points of CAS •

CAS-ifying a non web application • One of the strongest points of CAS • Use the pam_cas PAM module • Example of PAM configuration: auth sufficient /lib/security/pam_ldap. so auth sufficient /lib/security/pam_pwdb. so shadow nullok auth required /lib/security/pam_cas. so

The pam_cas PAM module login/ticket login/password client application server application login/password pam_ldap pam_pwdb pam_cas

The pam_cas PAM module login/ticket login/password client application server application login/password pam_ldap pam_pwdb pam_cas LDAP directory /etc/passwd ticket CAS server • Pam_cas authenticates users with a CAS ticket

CAS-ifying an IMAP server • Objectives – Access an IMAP server from a web

CAS-ifying an IMAP server • Objectives – Access an IMAP server from a web application that does not know the password of the user connected – Let traditional mail clients authenticate “normally” (with a password) – Do not modify the IMAP server • The solution: pam_cas : -)

CAS-ifying an IMAP server web browser login / password traditional mail client ST login

CAS-ifying an IMAP server web browser login / password traditional mail client ST login / PT CAS-ified webmail (CAS proxy) IMAP server login / password pam_ldap pam_pwdb pam_cas LDAP directory /etc/passwd PT CAS server

CAS-ifying Cyrus IMAPd login / password traditional mail client Cache efficiency: 95% login /

CAS-ifying Cyrus IMAPd login / password traditional mail client Cache efficiency: 95% login / PT CAS-ified webmail (CAS proxy) Cyrus imapd ST web browser Cyrus IMAP daemon sasl Unix socket sasl_authd cache login / password pam_ldap pam_pwdb pam_cas LDAP directory /etc/passwd sasl_authd daemon PT CAS server

Limits (and perspectives) • CAS deals with authentication, not authorization – Mixing CAS and

Limits (and perspectives) • CAS deals with authentication, not authorization – Mixing CAS and Shibboleth? • No redundancy – No native load-balancing – No fault-tolerance • No Single Sign-Off • A very poor documentation (but low load) (but very good reliability)

The effort of the ESUP-Portail consortium • Writing documentation • Adding libraries (php. CAS,

The effort of the ESUP-Portail consortium • Writing documentation • Adding libraries (php. CAS, esup-mod_cas, esup-pam_cas) • Adding features to the CAS server – – – Authentication handlers (LDAP, NIS, files, databases, NT domains, …) Mixed authentication Authentication debug mode Rendering customization (appearance, internationalization) CAS quick start (Jakarta Tomcat + Yale CAS server + CAS GH) • Supporting the French CAS community – Through forums and mailing lists

Enjoy CAS!

Enjoy CAS!