ClearPass A CAS Extension Enabling Credential Replay

Transcription

1 ClearPass A CAS Extension Enabling Credential Replay Andrew Petro Unicon, Inc. Copyright Unicon, Inc., Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit Jasig 2010 San Diego, CA 09 March 2010

2 Disclaimers Personal Opinions are my own Opinions herein are my own, and are not necessarily those of my employer, of Jasig, of the Jasig CAS steering committee, or of anyone else. CC-NC-SA Disclaims Warranty Creative Commons licenses have some fantastic language for disclaiming warranties. That's in part why speakers use them. 2

3 Agenda 1. What is ClearPass? 2. How does ClearPass work? 3. uportal example 4. Outlook Web Access example 5. Continued adoption in new environments 6. Questions? 3

4 What is ClearPass? 4

5 ClearPass Free and Open Source Software Extending CAS to... capture the end user's password at login And selectively release this password to authorized applications Like, say, an enterprise portal 5

6 Whence? Developed by Unicon for Sacramento State University and released as Free and Open Source Software Updated by Scott Battaglia via effort funded through Unicon's Cooperative Support for CAS Cooperative Development program 6

7 Concretely, what? Extensions to Jasig CAS to capture and expose credentials Extensions to Jasig uportal to consume the credentials 7

8 Wait, wait. Timeout. 8

9 Say what? Did I say ClearPass is an extension for releasing the end user's password??? That sounds like a really bad idea. 9

10 Why would you want to release end user credentials? Healthy skepticism is warranted. 10

11 Passwords are such useful things Have you ever given anyone your password? To anything?

12 Two purposes End-user single sign on N-tier application-to-application-on-behalf-ofuser authentication 12

13 Delete your login forms. 13

14 Apps do not touch passwords CAS 14

15 Greater than zero effort 15

16 Difficult to CASify 16

17 N-tier authentication User authenticates to Application 1 Application 1 authenticates to Application 2 on behalf of User How to accomplish this? 17

18 Options for N-Tier AuthN Principled Enterprise SSO regimes with Delegation Application-to-application authentication methods with assertion of user identity Direct use of end-user credentials 18

19 Passwords are such useful things 19

20 MailPortlet 20

21 After all, why is this hard? 21

22 Why ClearPass? End-user single sign on to difficult-to-casify Web applications N-tier application-to-application-on-behalf-ofuser authentication to difficult-to-casify services 22

23 How does ClearPass work? But first, an aside 23

24 How does Proxy CAS work? An aside necessary to understand how ClearPass works 24

25 How CAS Works S Web application T CAS NetID S T Web browser C 25

26 CAS 2.0: Proxy CAS PGT PGTIOU https listener Web application S NetID T PGTURL CAS PGTIOU S ST Web browser C 26

27 CAS 2.0: Proxy CAS NetID PGTURL PT Back-end application S Data Web application PGT PT S CAS PT Web browser 27

28 Proxiable credentials illustrated IMAP server CAS PAM module S PT T PGT IMP CAS PGT PT PT -Username -Identity of web resource 28

29 How does ClearPass work? Now that we've reviewed Proxy CAS, we can talk about this. 29

30 ClearPass CAS Extensions Capture the password at login Cache the password Release the password to authorized applications 30

31 Capture password at login In a perhaps too-clever way AuthenticationMetaDataPopulator But minimally invasive 31

32 Declaring the Cacher <bean class="org.jasig.cas3.extensions.clearpass.cachecredentia lsmetadatapopulator"> <constructor-arg index="0" ref="credentialscache" /> </bean> 32

33 Declaring and injecting <property name="authenticationmetadatapopulators"> <list> <bean class="org.jasig.cas3.extensions.clearpass.cachecredentia lsmetadatapopulator"> <constructor-arg index="0" ref="credentialscache" /> </bean> </list> </property> 33

34 Cache the password In an EhCache So this cache can be shared across CAS server instances in a cluster Can also be just in-memory 34

35 Expose the password Adds a controller 35

36 ClearPassController public ModelAndView handlerequestinternal(request, res) { final String username = request.getremoteuser(); if (username!= null) { final String password = this.credentialscache.get(username); return new ModelAndView(this.successView, MODEL_CLEARPASS, password); } return returnerror("no authentication information provided."); } 36

37 Response from /clearpass endpoint <cas:clearpassresponse xmlns:cas=' <cas:clearpasssuccess> <cas:credentials>actual_password</cas:credentials> </cas:clearpasssuccess> </cas:clearpassresponse> 37

38 Response from /clearpass endpoint <cas:clearpassresponse xmlns:cas=' <cas:clearpasssuccess> <cas:credentials>actual_password</cas:credentials> </cas:clearpasssuccess> </cas:clearpassresponse> 38

39 Wait, the password's in the clear? Well, no, not really. Clearpass callback URL is Accessed via HTTPS Request authenticated via Proxy CAS Ticket 39

40 Response from /clearpass endpoint <cas:clearpassresponse xmlns:cas=' <cas:clearpasssuccess> <cas:credentials>actual_password</cas:credentials> </cas:clearpasssuccess> </cas:clearpassresponse> 40

41 clearpasssuccess.jsp page session="false" %> taglib prefix="c" uri=" %> taglib uri=" prefix="fn" %> <cas:clearpassresponse xmlns:cas=' <cas:clearpasssuccess> <cas:credentials>$ {fn:escapexml(credentials)}</cas:credentials> </cas:clearpasssuccess> </cas:clearpassresponse> 41

42 Wait, the password's in the clear? Well, no, not really. Clearpass callback URL is Accessed via HTTPS Request authenticated via Proxy CAS Ticket 42

43 Authenticating to ClearPass How do applications authenticate to CAS ClearPass to get the password? Need to authenticate both the application and participation in a CAS single sign on session 43

44 Authenticated via PT! Use the Jasig CAS Client library itself to authenticate applications to the ClearPass CAS extension! 44

45 Uses Jasig Java CAS Client <filter-mapping> <filter-name>cas Validation Filter</filter-name> <url-pattern>/clearpass</url-pattern> </filter-mapping> <filter-mapping> <filter-name>cas HttpServletRequest Wrapper Filter</filtername> <url-pattern>/clearpass</url-pattern> </filter-mapping> 45

46 Uses Jasig Java CAS Client <filter> <filter- class>org.jasig.cas.client.validation.cas20proxyreceivingticke tvalidationfilter</filter-class> <init-param> <param-name>servername</param-name> <param-value> </init-param> <init-param> <param-name>allowedproxychains</param-name> <paramvalue> </init-param> </filter> 46

47 CAS 2.0: Proxy CAS NetID PGTURL PT Back-end application S Data Web application PGT PT S CAS PT Web browser 47

48 CAS 2.0: Proxy CAS NetID PGTURL PT CAS ClearPass Web Password application S PGT PT S CAS PT Web browser 48

49 uportal Example 49

50 Password Replay PW PW PW Channel PW PW PW Channel PW Portal Channel PW PasswordProtected Service PW PasswordProtected Service PW PasswordProtected Service PW

51 Password Replay PW PW PW Portlet PW PW PW Portlet PW Portal Portlet PW PasswordProtected Service PW PasswordProtected Service PW PasswordProtected Service PW

52 ClearPass uportal module ga/clearpass-integration-uportal/ Plugin for uportal's SecurityContext API Implements Password Caching API (supports password replay) Implements CAS API (supports CAS proxy tickets) 52

53 Password Replay Alongside PTs PW From ClearPass And PGT from CAS PW PW Portlet PW PGT PW Portlet PT Portal PW Portlet PT PasswordProtected Service PW PasswordProtected Service PW CASProtected Service PT

54 Portlets that (can) replay passwords 54

55 Portlets that can use passwords... preview Calendar preview Toro Gateway SSO portlet (for credential replay through login forms to achieve enduser SSO experience) Web Proxy Portlet Your portlet 55

56 Password as just an attribute A special, important attribute But just a standard JSR 168 user attribute Portlet doesn't care whether it came from ClearPass 56

57 SSO into Datatel WebAdvisor ClearPass uportal Toro Gateway SSO portlet 57

58 (There's more to this story) (Apparently Datatel WebAdvisor has an optional add-on product enabling SSO?) (So that might be a better option?) (But probably incurs license fees and uses proprietary software?) 58

59 Outlook Web Access example 59

60 Free Software alternatives to OWA While ClearPass-infused heroics can be applied to CASify Outlook Web Access... You could instead use something under an Open Source license... 60

61 Bill Thompson (!) 's Solution 61

62 CasOwaAuthHandler.cs Handles an HTTP request Obtains a Proxy Ticket to CAS/clearpass Uses PT to obtain password from CAS/clearpass Uses password to internally POST to OWA login form, reading resulting session cookies Sends session cookies back to end user browser (works since running in OWA) Redirects browser to OWA 62

63 Liferay example 63

64 Bill Thompson(!) forum post liferay_jasig_cas_client_forum_discussion 64

65 Liferay 5 extensions Use Jasig Java CAS Client library Obtain PT Use PT to obtain Password from ClearPass Place password into session where Liferay expects it Portlets use it as normal 65

66 How ClearPass Fits 66

67 ClearPass Enables incremental adoption of Enterprise SSO Adopt CAS SSO Use ClearPass to enable legacy integrations Use CAS and CAS delegated authentication wherever you can Improvement: incrementally, less proliferation of passwords and use of passwords 67

68 ClearPass Future Subtitle (optional) 68

69 Encrypt the password at rest? 69

70 What about multiple passwords? Represent as different ClearPass callback URLs? 70

71 Questions & Answers & Discussion Andrew Petro Software Developer Unicon, Inc. 71

72 License and Copyleft Copyright Unicon, Inc., Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit 72

73 Acknowledgments Bill Thompson for his excellent work developing and documenting Liferay extensions to use Jasig Java CAS Client 3 and ClearPass and OWA extensions to rely upon ClearPass for SSO into OWA. (Roller derby timeout image; CC-NC 2.0) 73