0
Identity Management Overview
              CAS and Shibboleth
                                              Andrew Petro, ...
About Unicon
IT Consulting Services for Education, Specializing in Open Source

IT Consulting Services
     • Technology D...
Jasig CAS in 15 Minutes

                                                    Andrew Petro
                                ...
What is CAS?



 open source
single sign on
  for the Web
Multi-Sign-On for the Web
At Least with One Username/Password?
All Applications Touch Passwords
Any Compromise Leaks Primary Credentials
Adversary Then Can Run Wild
The Solution

• What if there were only one login form in your
  organization, only one application trusted to
  touch pri...
Delete Your Login Forms
Webapps No Longer Touch Passwords
Adversary Compromises Only Single Apps
Webapps No Longer Touch Passwords
Provided Authentication Handlers

• LDAP                • RADIUS
  – Fast bind         • SPNEGO
  – Search and bind   • Tr...
What About Portals?




Need to go get interesting content from different systems.
•E-mail
•Calendar
•E-Learning
•Student ...
Password Replay

                                  Password-
                            PW    Protected
                 ...
Look Ma, No Password!

• Without a password to replay, how am I going




               ?
  to authenticate my portal to ...
“Proxy” CAS

• Some Web applications “proxy”
  authentication to backing services on behalf
  of the user
• “Proxied” appl...
CAS – More than Authentication
•   Return attributes of logged on users
•   Adding support for standards
     – OpenID
   ...
CAS Integration Libraries

• Java                • Drupal module
• Spring Security     • uPortal
• PHP                 • L...
Unicon Services for CAS

• Implementation Planning
• Branding and User Experience
• Installation and Configuration
• Custo...
Questions?




       Andrew Petro
       apetro@unicon.net
       www.unicon.net
Shibboleth &
Federated Identities




                       25
Shibboleth


    Enterprise federated identity software
    −   Based on standards (principally SAML)
    −   Extensive a...
Shibboleth Project


    Free & Open Source
    −   Apache 2.0 license

    Enterprise and Federation oriented

    Sta...
Why Federated Identity?


    Authoritative information
    −   Users, privileges, attributes

    Improved security
   ...
What Is SAML?


    Security Assertion Markup Language (SAML)

    XML-based Open Standard

    Exchange authentication...
Major SAML Applications


    Proquest                 
                                 Microsoft DreamSpark

    Proj...
How Federated Identity Works


    A user tries to access a protected application

    The user tells the application wh...
32
Role of a Federation


    Agreed upon Attribute Definitions
     −   Group, Role, Unique Identifier, Courses, …

    Cr...
InCommon Federation


    Federation for U.S. Higher Education & Research
    (and Partners)

    Over Three Million Use...
Questions?




       John Lewis
       jlewis@unicon.net
       www.unicon.net
Identity Management Overview: CAS and Shibboleth
Upcoming SlideShare
Loading in...5
×

Identity Management Overview: CAS and Shibboleth

13,799

Published on

Slide deck from CAS and Shibboleth portion of 15 December 2009 Unicon webinar on CAS, Shibboleth, and VASCO.

Published in: Technology
0 Comments
7 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
13,799
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
237
Comments
0
Likes
7
Embeds 0
No embeds

No notes for slide

Transcript of "Identity Management Overview: CAS and Shibboleth"

  1. 1. Identity Management Overview CAS and Shibboleth Andrew Petro, Unicon John Lewis, Unicon Adam Dolby, VASCO 15 December 2009 Copyright Unicon, Inc., 2009. Some Rights Reserved. This work is licensed under a Creative Commons Attribution NonCommercial Share Alike 3.0 United States License. http://creativecommons.org/licenses/by-nc-sa/3.0/us/ Some content drawn from prior presentations at Jasig conferences.
  2. 2. About Unicon IT Consulting Services for Education, Specializing in Open Source IT Consulting Services • Technology Delivery and Support • Systems Integration • Software Engineering Open Source Technology Solutions • Enterprise Portal • Identity Management • Learning Management • Email and Collaboration For more information about Unicon, please visit: http://www.unicon.net Contact us at: 480-558-2400 or info@unicon.net
  3. 3. Jasig CAS in 15 Minutes Andrew Petro Unicon, Inc. See also http://www.unicon.net/blog/3/ten_minute_cas_intro
  4. 4. What is CAS? open source single sign on for the Web
  5. 5. Multi-Sign-On for the Web
  6. 6. At Least with One Username/Password?
  7. 7. All Applications Touch Passwords
  8. 8. Any Compromise Leaks Primary Credentials
  9. 9. Adversary Then Can Run Wild
  10. 10. The Solution • What if there were only one login form in your organization, only one application trusted to touch primary credentials?
  11. 11. Delete Your Login Forms
  12. 12. Webapps No Longer Touch Passwords
  13. 13. Adversary Compromises Only Single Apps
  14. 14. Webapps No Longer Touch Passwords
  15. 15. Provided Authentication Handlers • LDAP • RADIUS – Fast bind • SPNEGO – Search and bind • Trusted • Active Directory • X.509 certificates – LDAP • Writing a custom – Kerberos (JAAS) authentication handler is easy • JAAS • JDBC
  16. 16. What About Portals? Need to go get interesting content from different systems. •E-mail •Calendar •E-Learning •Student Information System
  17. 17. Password Replay Password- PW Protected Service PW PW PW Channel PW Password- PW PW Protected Channel Service PW PW PW Password- Portal Channel Protected Service PW
  18. 18. Look Ma, No Password! • Without a password to replay, how am I going ? to authenticate my portal to other applications?
  19. 19. “Proxy” CAS • Some Web applications “proxy” authentication to backing services on behalf of the user • “Proxied” applications/services may themselves proxy authentication to others • CAS authenticates both the end user and the proxy
  20. 20. CAS – More than Authentication • Return attributes of logged on users • Adding support for standards – OpenID – SAML • Single Sign-Out • RESTful API • Support for clustering • Services management • Remember me (long-term SSO)
  21. 21. CAS Integration Libraries • Java • Drupal module • Spring Security • uPortal • PHP • Liferay • Apache Module • Sakai • ASP • TikiWiki • Python • ... • Ruby • ...
  22. 22. Unicon Services for CAS • Implementation Planning • Branding and User Experience • Installation and Configuration • Custom Development • Consulting and Mentoring • CASification of uPortal, Sakai, and other applications • Upgrades For more information, please visit http://www.unicon.net/services/cas
  23. 23. Questions? Andrew Petro apetro@unicon.net www.unicon.net
  24. 24. Shibboleth & Federated Identities 25
  25. 25. Shibboleth  Enterprise federated identity software − Based on standards (principally SAML) − Extensive architectural work to integrate with existing systems − Designed for deployment by communities  Most widely used in education, government  Broadly adopted in Europe  2.0 release implements SAML 2 − Backward compatible with 1.3
  26. 26. Shibboleth Project  Free & Open Source − Apache 2.0 license  Enterprise and Federation oriented  Started 2000 with first released code in 2003  Excellent community support − http://shibboleth.internet2.edu − shibboleth-announce@internet2.edu
  27. 27. Why Federated Identity?  Authoritative information − Users, privileges, attributes  Improved security − Fewer user accounts in the world  Privacy when needed − Fine control over attribute sharing  Saves time & money − Less work administrating users
  28. 28. What Is SAML?  Security Assertion Markup Language (SAML)  XML-based Open Standard  Exchange authentication and authorization data between security domains − Identity Provider (a producer of assertions) − Service Provider (a consumer of assertions)  Approved by OASIS Security Services − SAML 1.0 November 2002 − SAML 2.0 March 2005
  29. 29. Major SAML Applications  Proquest  Microsoft DreamSpark  Project MUSE  Moodle, Joomla, Drupal  Thomson Gale  JSTOR, ArtSTOR, OCLC  Elsevier ScienceDirect  Blackboard & WebCT  Google Apps  WebAssign & TurnItIn  ExLibris MetaLib  MediaWiki / Confluence  Sakai & Moodle  uPortal  National Institutes of Health  DSpace, Fedora  National Digital Science Library  Ovid
  30. 30. How Federated Identity Works  A user tries to access a protected application  The user tells the application where it’s from  The user logs in at home  Home tells the application about the user  The user is rejected or accepted
  31. 31. 32
  32. 32. Role of a Federation  Agreed upon Attribute Definitions − Group, Role, Unique Identifier, Courses, …  Criteria for IdM & IdP practices − user accounts, credentialing, personal information stewardship, interoperability standards, technologies, ...  Digital Certificates  Trusted “notary” for all members  Not needed for Federated IdM, but does make things even easier
  33. 33. InCommon Federation  Federation for U.S. Higher Education & Research (and Partners)  Over Three Million Users  163 Organizations  Self-organizing & Heterogeneous  Policy Entrance bar intentionally set low  Doesn’t impose lots of rules and standards  http://www.incommonfederation.org/
  34. 34. Questions? John Lewis jlewis@unicon.net www.unicon.net
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×