ClearPass A CAS Extension Enabling Credential Replay

ClearPass A CAS Extension Enabling Credential Replay Andrew Petro Unicon, Inc. http://www.ja-sig.org/wiki/display/casum/clearpass Copyright Unicon, Inc., 2008-2010. Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/ Jasig 2010 San Diego, CA 09 March 2010

Disclaimers Personal Opinions are my own Opinions herein are my own, and are not necessarily those of my employer, of Jasig, of the Jasig CAS steering committee, or of anyone else. CC-NC-SA Disclaims Warranty Creative Commons licenses have some fantastic language for disclaiming warranties. That's in part why speakers use them. 2

Agenda 1. What is ClearPass? 2. How does ClearPass work? 3. uportal example 4. Outlook Web Access example 5. Continued adoption in new environments 6. Questions? 3

What is ClearPass? 4

ClearPass Free and Open Source Software Extending CAS to... capture the end user's password at login And selectively release this password to authorized applications Like, say, an enterprise portal 5

Whence? Developed by Unicon for Sacramento State University and released as Free and Open Source Software Updated by Scott Battaglia via effort funded through Unicon's Cooperative Support for CAS Cooperative Development program 6

Concretely, what? Extensions to Jasig CAS to capture and expose credentials Extensions to Jasig uportal to consume the credentials https://www.ja-sig.org/svn/casextensions/clearpass/ 7

Wait, wait. Timeout. http://www.flickr.com/photos/rollerfan/3052241108 8

Say what? Did I say ClearPass is an extension for releasing the end user's password??? That sounds like a really bad idea. 9

Why would you want to release end user credentials? Healthy skepticism is warranted. 10

Passwords are such useful things Have you ever given anyone your password? To anything? http://www.flickr.com/photos/bulldogsrule/512916347 http://creativecommons.org/licenses/by-nc-nd/2.0/ 11

Two purposes End-user single sign on N-tier application-to-application-on-behalf-ofuser authentication 12

Delete your login forms. 13

Apps do not touch passwords CAS 14

Greater than zero effort 15

Difficult to CASify 16

N-tier authentication User authenticates to Application 1 Application 1 authenticates to Application 2 on behalf of User How to accomplish this? 17

Options for N-Tier AuthN Principled Enterprise SSO regimes with Delegation Application-to-application authentication methods with assertion of user identity Direct use of end-user credentials 18

Passwords are such useful things 19

MailPortlet 20

After all, why is this hard? 21

Why ClearPass? End-user single sign on to difficult-to-casify Web applications N-tier application-to-application-on-behalf-ofuser authentication to difficult-to-casify services 22

How does ClearPass work? But first, an aside 23

How does Proxy CAS work? An aside necessary to understand how ClearPass works 24

How CAS Works S Web application T CAS NetID S T Web browser C 25

CAS 2.0: Proxy CAS PGT PGTIOU https listener Web application S NetID T PGTURL CAS PGTIOU S ST Web browser C 26

CAS 2.0: Proxy CAS NetID PGTURL PT Back-end application S Data Web application PGT PT S CAS PT Web browser 27

Proxiable credentials illustrated IMAP server CAS PAM module S PT T PGT IMP CAS PGT PT PT -Username -Identity of web resource 28

How does ClearPass work? Now that we've reviewed Proxy CAS, we can talk about this. 29

ClearPass CAS Extensions Capture the password at login Cache the password Release the password to authorized applications 30

Capture password at login In a perhaps too-clever way AuthenticationMetaDataPopulator But minimally invasive 31

Declaring the Cacher <bean class="org.jasig.cas3.extensions.clearpass.cachecredentia lsmetadatapopulator"> <constructor-arg index="0" ref="credentialscache" /> </bean> 32

Declaring and injecting <property name="authenticationmetadatapopulators"> <list> <bean class="org.jasig.cas3.extensions.clearpass.cachecredentia lsmetadatapopulator"> <constructor-arg index="0" ref="credentialscache" /> </bean> </list> </property> 33

Cache the password In an EhCache So this cache can be shared across CAS server instances in a cluster Can also be just in-memory 34

Expose the password Adds a controller 35

ClearPassController public ModelAndView handlerequestinternal(request, res) { final String username = request.getremoteuser(); if (username!= null) { final String password = this.credentialscache.get(username); return new ModelAndView(this.successView, MODEL_CLEARPASS, password); } return returnerror("no authentication information provided."); } 36

Response from /clearpass endpoint <cas:clearpassresponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:clearpasssuccess> <cas:credentials>actual_password</cas:credentials> </cas:clearpasssuccess> </cas:clearpassresponse> 37

Response from /clearpass endpoint <cas:clearpassresponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:clearpasssuccess> <cas:credentials>actual_password</cas:credentials> </cas:clearpasssuccess> </cas:clearpassresponse> 38

Wait, the password's in the clear? Well, no, not really. Clearpass callback URL is Accessed via HTTPS Request authenticated via Proxy CAS Ticket 39

Response from /clearpass endpoint <cas:clearpassresponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:clearpasssuccess> <cas:credentials>actual_password</cas:credentials> </cas:clearpasssuccess> </cas:clearpassresponse> 40

clearpasssuccess.jsp <%@ page session="false" %> <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> <%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %> <cas:clearpassresponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:clearpasssuccess> <cas:credentials>$ {fn:escapexml(credentials)}</cas:credentials> </cas:clearpasssuccess> </cas:clearpassresponse> 41

Wait, the password's in the clear? Well, no, not really. Clearpass callback URL is Accessed via HTTPS Request authenticated via Proxy CAS Ticket 42

Authenticating to ClearPass How do applications authenticate to CAS ClearPass to get the password? Need to authenticate both the application and participation in a CAS single sign on session 43

Authenticated via PT! Use the Jasig CAS Client library itself to authenticate applications to the ClearPass CAS extension! 44

Uses Jasig Java CAS Client <filter-mapping> <filter-name>cas Validation Filter</filter-name> <url-pattern>/clearpass</url-pattern> </filter-mapping> <filter-mapping> <filter-name>cas HttpServletRequest Wrapper Filter</filtername> <url-pattern>/clearpass</url-pattern> </filter-mapping> 45

Uses Jasig Java CAS Client <filter> <filter- class>org.jasig.cas.client.validation.cas20proxyreceivingticke tvalidationfilter</filter-class> <init-param> <param-name>servername</param-name> <param-value>https://my.clearpass.cas.instance/</paramvalue> </init-param> <init-param> <param-name>allowedproxychains</param-name> <paramvalue>http://my.uportal.edu/casproxyservlet</param-value> </init-param> </filter> 46

CAS 2.0: Proxy CAS NetID PGTURL PT Back-end application S Data Web application PGT PT S CAS PT Web browser 47

CAS 2.0: Proxy CAS NetID PGTURL PT CAS ClearPass Web Password application S PGT PT S CAS PT Web browser 48

uportal Example 49

Password Replay PW PW PW Channel PW PW PW Channel PW Portal Channel PW PasswordProtected Service PW PasswordProtected Service PW PasswordProtected Service PW

Password Replay PW PW PW Portlet PW PW PW Portlet PW Portal Portlet PW PasswordProtected Service PW PasswordProtected Service PW PasswordProtected Service PW

ClearPass uportal module https://www.ja-sig.org/svn/casextensions/clearpass/tags/clearpass_1_0_0_ ga/clearpass-integration-uportal/ Plugin for uportal's SecurityContext API Implements Password Caching API (supports password replay) Implements CAS API (supports CAS proxy tickets) 52

Password Replay Alongside PTs PW From ClearPass And PGT from CAS PW PW Portlet PW PGT PW Portlet PT Portal PW Portlet PT PasswordProtected Service PW PasswordProtected Service PW CASProtected Service PT

Portlets that (can) replay passwords 54

Portlets that can use passwords... Email preview Calendar preview Toro Gateway SSO portlet (for credential replay through login forms to achieve enduser SSO experience) Web Proxy Portlet Your portlet 55

Password as just an attribute A special, important attribute But just a standard JSR 168 user attribute Portlet doesn't care whether it came from ClearPass 56

SSO into Datatel WebAdvisor http://www.ja-sig.org/wiki/display/casc/casify ClearPass uportal Toro Gateway SSO portlet 57

(There's more to this story) (Apparently Datatel WebAdvisor has an optional add-on product enabling SSO?) (So that might be a better option?) (But probably incurs license fees and uses proprietary software?) 58

Outlook Web Access example 59

Free Software alternatives to OWA While ClearPass-infused heroics can be applied to CASify Outlook Web Access... You could instead use something under an Open Source license... 60

Bill Thompson (!) 's Solution http://github.com/wgthom/casowa 61

CasOwaAuthHandler.cs Handles an HTTP request Obtains a Proxy Ticket to CAS/clearpass Uses PT to obtain password from CAS/clearpass Uses password to internally POST to OWA login form, reading resulting session cookies Sends session cookies back to end user browser (works since running in OWA) Redirects browser to OWA 62

Liferay example 63

Bill Thompson(!) forum post http://bit.ly/ liferay_jasig_cas_client_forum_discussion 64

Liferay 5 extensions http://github.com/wgthom/cas3liferay5 Use Jasig Java CAS Client library Obtain PT Use PT to obtain Password from ClearPass Place password into session where Liferay expects it Portlets use it as normal 65

How ClearPass Fits 66

ClearPass Enables incremental adoption of Enterprise SSO Adopt CAS SSO Use ClearPass to enable legacy integrations Use CAS and CAS delegated authentication wherever you can Improvement: incrementally, less proliferation of passwords and use of passwords 67

ClearPass Future Subtitle (optional) 68

Encrypt the password at rest? 69

What about multiple passwords? Represent as different ClearPass callback URLs? 70

Questions & Answers & Discussion Andrew Petro Software Developer Unicon, Inc. apetro@unicon.net www.unicon.net/blog/apetro 71

License and Copyleft Copyright Unicon, Inc., 2008-2010. Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 72

Acknowledgments Bill Thompson for his excellent work developing and documenting Liferay extensions to use Jasig Java CAS Client 3 and ClearPass and OWA extensions to rely upon ClearPass for SSO into OWA. http://www.flickr.com/photos/rollerfan/3052241 (Roller derby timeout image; CC-NC 2.0) 73