Implementing CAS. Adam Rybicki. 2009 Jasig Conference, Dallas, TX March 1, 2009

Similar documents
Implementing CAS. Adam Rybicki Jasig Conference, San Diego, CA March 7, 2010

High Availability CAS

CENTRAL AUTHENTICATION SERVICE (CAS) SSO FOR EMC DOCUMENTUM REST SERVICES

Sakai and uportal Integration Options

How To Configure The Jasig Casa Single Sign On On A Workstation On Ahtml.Org On A Server On A Microsoft Server On An Ubuntu (Windows) On A Linux Computer On A Raspberry V

ClearPass A CAS Extension Enabling Credential Replay

Pierce County IT Department GIS Division Xuejin Ruan Dan King

Spring Security 3. rpafktl Pen source. intruders with this easy to follow practical guide. Secure your web applications against malicious

enterprise^ IBM WebSphere Application Server v7.0 Security "publishing Secure your WebSphere applications with Java EE and JAAS security standards

StreamServe Persuasion SP5 StreamStudio

Crawl Proxy Installation and Configuration Guide

Présentation Evolutions CAS Version 3

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Building Secure Applications. James Tedrick

From centralized to single sign on

PowerLink for Blackboard Vista and Campus Edition Install Guide

Open-source Single Sign-On with CAS (Central Authentication Service)

Unlocking the Secrets of Alfresco Authentication. Mehdi BELMEKKI,! Consultancy Team! Alfresco!

CHAPTER 1 - JAVA EE OVERVIEW FOR ADMINISTRATORS

ADMINISTERING ADOBE LIVECYCLE MOSAIC 9.5

SOA Software: Troubleshooting Guide for Agents

Technical White Paper - JBoss Security

CAS-anova: A University Proclaims its Love for Simplified Authentication

SAP Certified Technology Professional - Security with SAP NetWeaver 7.0. Title : Version : Demo. The safer, easier way to help you pass any IT exams.

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Oracle WebLogic Server 11g Administration

Architecture of Enterprise Applications III Single Sign-On

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

TIBCO Spotfire Platform IT Brief

NCSU SSO. Case Study

Ensure that your environment meets the requirements. Provision the OpenAM server in Active Directory, then generate keytab files.

WebSphere Training Outline

Course Description. Course Audience. Course Outline. Course Page - Page 1 of 5

Table of contents. Jasig CAS support for the Spring Security plugin.

Kerberos and Windows SSO Guide Jahia EE v6.1

WebSphere Server Administration Course

Easy as 1-2-3: The Steps to XE. Mark Hoye Services Portfolio Consultant

IBM WebSphere Server Administration

Setup Guide Access Manager 3.2 SP3

Single Sign-On for the UQ Web

Flexible Identity Federation

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

This training is targeted at System Administrators and developers wanting to understand more about administering a WebLogic instance.

Authentication and access control in Sympa mailing list server

CA Performance Center

Configuring. Moodle. Chapter 82

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

App Orchestration 2.5

Multi Factor Authentication API

API-Security Gateway Dirk Krafzig

From the Intranet to Mobile. By Divya Mehra and Stian Thorgersen

Lost in Authentication CAS Clients and Best Practices

WildFly in Oracle okolje

PUBLIC Secure Login for SAP Single Sign-On Implementation Guide

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

Single Sign On. SSO & ID Management for Web and Mobile Applications

Sophos Mobile Control Technical guide

Enabling secure communication for a Tivoli Access Manager Session Management Server environment

Configuring Integrated Windows Authentication for JBoss with SAS 9.3 Web Applications

Spring Security SAML module

PingFederate. Identity Menu Builder. User Guide. Version 1.0

Configuration Worksheets for Oracle WebCenter Ensemble 10.3

Flexible Identity Federation

OpenAM. 1 open source 1 community experience distilled. Single Sign-On (SSO) tool for securing your web. applications in a fast and easy way

JVA-122. Secure Java Web Development

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

How To Use Netiq Access Manager (Netiq) On A Pc Or Mac Or Macbook Or Macode (For Pc Or Ipad) On Your Computer Or Ipa (For Mac) On An Ip

Enabling SSL and Client Certificates on the SAP J2EE Engine

SSO Plugin. Integration for Jasper Server. J System Solutions. Version 3.6

2 Downloading Access Manager 3.1 SP4 IR1

NetIQ Identity Manager Setup Guide

I) Add support for OAuth in CAS server

Proxied Authentication in SSO Setups with Common OSS. Open Identity Summit 2015 Prof. Dr. René Peinl Berlin,

Integrating Apex into Federated Environment using SAML 2.0. Jon Tupman Portalsoft Solutions Ltd

IBM Security Identity Manager Version 6.0. Security Guide SC

Mastering Tomcat Development

NETASQ ACTIVE DIRECTORY INTEGRATION

ENABLING RPC OVER HTTPS CONNECTIONS TO M-FILES SERVER

SSO Plugin. HP Service Request Catalog. J System Solutions. Version 3.6

A detailed walk through a CAS authentication

SCAS: AN IMPROVED SINGLE SIGN-ON MODEL BASE ON CAS

IBM SPSS Collaboration and Deployment Services Version 6 Release 0. Single Sign-On Services Developer's Guide

Perceptive Experience Single Sign-On Solutions

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

EMC Documentum Content Services for SAP Repository Manager

Luminis to Banner Single Sign-On

Approaches and challenges for a SSO enabled extranet using Jasig CAS. Florian Holzschuher René Peinl

MIT Tech Talk, May 2013 Justin Richer, The MITRE Corporation

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

BIRT Application and BIRT Report Deployment Functional Specification

Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies

CA SiteMinder. Implementation Guide. r12.0 SP2

Go2Group JaM Plugin. Atlassian JIRA add-on for HP Quality Center. Quick Install Guide

HRC Advanced Citrix Troubleshooting Guide. Remove all Citrix Instances from the Registry

Configuring Sponsor Authentication

Transcription:

Implementing CAS Adam Rybicki 2009 Jasig Conference, Dallas, TX March 1, 2009 Copyright Unicon, Inc., 2009. This work is the intellectual property of Unicon, Inc. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of Unicon, Inc. To disseminate otherwise or to republish requires written permission from Unicon, Inc.

1. Introduction 2. Problems CAS solves 3. CAS protocol 4. Building from sources 5. Customizing the presentation 6. Authentication handlers 7. CAS-enabling uportal 8. CAS-enabling Tomcat

Introduction Who are we? What is CAS? Brief history of CAS

Adam s Involvement with CAS Got interested. Worked with several clients helping them to CASify their applications. Asked many questions of the CAS mail list Wrote a CAS self-study guide for Unicon developers. (https://confluence.unicon.net/confluence/x/xgzi) (authentication required) Answered some questions on the CAS list. Currently working with Unicon clients on CAS server implementations and CAS-enabling their Web applications.

Introductions Who are you? Name Institution Role Why interested in CAS?

What is CAS? CAS is enterprise single-sign-on for the Web. Free Open source Server implemented in Java Clients implemented in a plethora of languages

Some of the people involved as the project has evolved Scott Battaglia Shawn Bayern Susan Bramhall Marc-Antoine Garrigue Howard Gilbert Dmitriy Kopylenko Arnaud Lesueur Drew Mazurek Benn Oshrin Jan Van der Velpen (Velpi)

Many CAS deployers Appian Corporation Athabasca University Azusa Pacific University BCcampus California Polytechnic Institute California State University, Chico Campus Crusade for Christ Case Western Reserve University Columbia Employers Direct GET-INT Hong Kong University of Science and Technology Indiana Karlstad University, Sweden La Voz de Galicia, Spain Memorial University of Newfoundland Nagoya University NHMCCD Northern Arizona University Plymouth State University (used with SunGardHE Luminis) Roskilde University Rutgers, The State University of New Jersey SunGard HE Luminis Simon Fraser University (Vancouver, B.C.) Suffield Academy Tollpost Globe AS

and more Universita degli Studi di Parma Universite de Bourgogne - France Universite de La Rochelle, France Universite de Pau et des Pays de l'adour, France University of Nancy 1, France Universite Nancy 2, France Universite Pantheon Sorbonne Universiteit van Amsterdam University of Bristol, England University of California Merced University of California, Riverside University of Crete, Greece University of Delaware University of Geneva University of Hawaii University of New Mexico University of Rennes1 University of Technology, Sydney Uppsala University Valtech Virginia Tech Yale University And likely more not wellenumerated

Problems CAS solves Disparate credentials and name spaces Too many Web applications dealing with credentials CAS creates new challenges, too

Multi-sign-on for the Web

At least with one username/password? LDAP

All applications touch passwords LDAP

Any compromise leaks primary credentials LDAP

Adversary then can run wild LDAP

What to do about this? What if there were only one login form, only one application trusted to touch primary credentials?

Delete your login forms.

Browser CAS in a nutshell Authenticates via password (once) Determines validity of user s claimed authentication Authenticates without sending password Web application

Webapps no longer touch passwords CAS LDAP

Adversary compromises only single apps CAS LDAP

What about portals? Need to go get interesting content from different systems.

Password Replay PW PW Channel PW Password- Protected Service PW PW PW Channel PW Password- Protected Service PW Portal PW Channel PW Password- Protected Service PW

CAS Protocol Tickets and services Ticket validation Proxy authentication

How CAS Works Web Application CAS Web Browser

What about portals? Need to go get interesting content from different systems.

Password Replay PW PW Channel PW Password- Protected Service PW PW PW Channel PW Password- Protected Service PW Portal PW Channel PW Password- Protected Service PW

Look ma, no password! Without a password to replay, how am I going to authenticate my portal to other applications?

Proxy CAS https listener Web Applicatio n CAS Web Browser

Proxy CAS Feature unique to CAS among most of SSO systems Allows some Web applications to act as proxies on behalf of the users Proxied Web applications may act as N-th level proxies http://www.jasig.org/cas/protocol

Provided Authentication Handlers LDAP Fast bind Search and bind Active Directory LDAP Kerberos (JAAS) JAAS JDBC RADIUS SPNEGO Trusted X.509 certificates Writing a custom authentication handler is easy

CAS More than Authentication Return attributes of logged on users Adding support for standards OpenID SAML Single Sign-Out RESTful API Support for clustering Implements distributed ticket registry Requires session replication Must guarantee cross-server ticket uniqueness Services management (white listing) Remember me (long-term SSO)

Short Term Goals Service Registry Enhancements: Self Registration Page Service Priority LDAP implementation of Service Registry InfoCard Support Auditing, Logging etc. More Internationalization

Long Term Goals Re-architecture to support emerging use cases Account Management integration Password Expiration Policies/Password Change Integration SAML, OAuth, OpenID2, etc. Levels of assurance / multifactor authentication / secondlevel Better online / realtime administration Installer / configurer Information about CAS server (open SSO sessions, etc.) Hardening / anti-phishing http://www.ja-sig.org/wiki/display/casst/cas+4+roadmap

Building from sources Obtaining the distribution Requirements and tools File structure and dependencies

Obtaining the distribution http://www.jasig.org/cas/ SVN at developer.ja-sig.org svn checkout https://www.jasig.org/svn/cas3/tags/cas-3-3-1-final/ cas-server Import and maintain in your source control s vendor branch

Required Requirements to build CAS Java Development Kit 5 or 6 Maven 2 Optional SVN Eclipse (with SVN and Maven plugins) EasyEclipse Server (plus Maven plugin) Tomcat (gotta test it somewhere!)

File structure and dependencies Top-level Project Object Model (POM or pom.xml) used for all builds and to build dependent sub-projects. The top-level POM builds all the sub-projects, but by default they are NOT included in the resulting war file. To add dependent sub-projects or additional external libraries to the war file, you need to add dependencies to pom.xml in cas-serverwebapp.

Adding a dependency to pom.xml <!--... --> <dependency> <groupid>ognl</groupid> <artifactid>ognl</artifactid> <version>2.6.9</version> <scope>runtime</scope> </dependency> <dependency> <groupid>${project.groupid}</groupid> <artifactid>cas-server-support-ldap</artifactid> <version>${project.version}</version> </dependency> <dependency> <groupid>log4j</groupid> <artifactid>log4j</artifactid> <version>1.2.14</version> <type>jar</type> <scope>runtime</scope> </dependency> <!--... -->

Building using Maven overlay method Requirements Project Structure Dependencies

Required Requirements to build CAS Java Development Kit 5 or 6 Maven 2 Optional SVN Eclipse (with SVN and Maven plugins) EasyEclipse Server (plus Maven plugin) Tomcat (gotta test it somewhere!)

File structure and dependencies Start with just Project Object Model (pom.xml) in an empty project directory. Add files, as needed, to overlay those in the standard WAR file. Your own deployerconfigcontext.xml would be the first such file. May want to add institutional images and CSS modifications. Add dependencies, as needed, to additional CAS modules.

Configuring CAS deployerconfigcontext.xml web.xml log4j.properties

deployerconfigcontext.xml Located in cas-server-webapp/src/main/webapp/web-inf Deployer-specific configuration file This is the first and possibly the only file you have to modify Replace the default authentication handler with the one your deployment needs Add configuration options that your authentication handler requires

deployerconfigcontext.xml example <bean id="authenticationmanager" class="org.jasig.cas.authentication.authenticationmanagerimpl"> <!--... --> <property name="authenticationhandlers"> <list> <!-- This is the authentication handler that authenticates services by means of callback via SSL, thereby validating a server side SSL certificate. +--> <bean class="org.jasig.cas.authentication.handler.support.httpbasedservicecredentialsauthenticationhandler" /> <bean class="org.jasig.cas.adaptors.ldap.bindldapauthenticationhandler"> <property name="filter" value="uid=%u" /> <property name="searchbase" value="ou=people,dc=training" /> <property name="contextsource" ref="contextsource" /> </bean> </list> </property> </bean> <bean id="contextsource" class="org.jasig.cas.adaptors.ldap.util.authenticatedldapcontextsource"> <property name="anonymousreadonly" value="true" /> <property name="password" value="{password_goes_here}" /> <property name="pooled" value="true" /> <property name="urls"> <list> <value>ldap://localhost/</value> </list> </property> <property name="username" value="{username_goes_here}" /> <property name="baseenvironmentproperties"> <map> <entry> <key><value>java.naming.security.authentication</value></key> <value>simple</value> </entry> </map> </property> </bean>

web.xml Located in cas-server-webapp/src/main/webapp/web-inf Standard JEE deployment descriptor All endpoints defined as mapped to one servlet Uses Spring WebMVC This is the root of the CAS Web application configuration Re-enable the user-friendly error reporting Lists all the Spring context configuration files My need to add audittrailcontext.xml

log4j.properties Located in cas-server-webapp/src/main/webapp/web- INF/classes Log4j periodically re-reads this file (no Tomcat restart needed after editing) Add fully-qualified path to cas.log May want to increase the log level for troubleshooting Warning: setting the log level to DEBUG or higher will log users passwords

Additional Features Service registry Single sign-out OpenID

Service registry Allows to maintain a list of services authorized to authenticate to CAS Off by default When turned on, only registered services will be allowed to authenticate to CAS Implementing service registry introduces a database requirement to CAS (using Hibernate) Service registry s management interface requires authentication (CAS, of course) Must add the service registry URL as the first service to avoid locking out access to the service registry management interface

Enabling service registry Find a section of deployerconfigcontext.xml that looks like this: <bean id="userdetailsservice" class="org.acegisecurity.userdetails.memory.inmemorydaoimpl"> <property name="usermap"> <value> </value> </property> </bean> and make it look like this: <bean id="userdetailsservice" class="org.acegisecurity.userdetails.memory.inmemorydaoimpl"> <property name="usermap"> <value> adam=notused,role_admin </value> </property> </bean> Now user adam is authorized to manage services. Need to enable the database persistence, too.

Single sign-out Allows CAS to post a user signed out message to all services that have previously authenticated to CAS On by default Services receive the SSOut message as an HTTP POST to the same endpoint identified during authentication Service Ticket identifies the SSO session that was terminated

Single sign-out Web application HTTP POST: ST CAS No communication between the browser and Web application! Web browser Logout You ve been logged out

OpenID (http://openid.net/) Allows to use a single digital identity across the Internet Web applications delegate authentication to an OpenID provider CAS can be configured to be an OpenID provider Useful if you have Web applications that support OpenID authentication and not CAS

CAS-enabling (or CASifying) Web applications uportal Tomcat Manager????

uportal Edit properties/security.properties Edit webpages/web-inf/web.xml Edit (uportal 2.x only) webpages/stylesheets/org/jasig/portal/channels/clogin /html.xsl Deploy the changes Restart uportal

Tomcat Manager Tomcat Manager relies on container authentication This example illustrates how CAS authentication can replace Tomcat s BASIC Authentication without having to write or modify any code Locate the Manager applications deployment descriptor (web.xml) Replace its original authentication section with CAS filter-based authentication Add simple authorization http://www.ja-sig.org/wiki/x/5ym

Questions? Adam Rybicki arybicki@unicon.net www.unicon.net

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information