Jasig CAS in 10 Minutes Copyright Unicon, Inc., 2009. Some Rights Reserved. This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License. http://creativecommons.org/licenses/by-sa/3.0/us/ Some content drawn from prior presentations at Jasig conferences. Andrew Petro Unicon, Inc. 4 & 5 November, 2009

What is CAS? open source single sign on for the Web

Multi-Sign-On for the Web

At Least with One Username/Password?

All Applications Touch Passwords

Any Compromise Leaks Primary Credentials

Adversary Then Can Run Wild

The Solution What if there were only one login form in your organization, only one application trusted to touch primary credentials?

What if there were only one login form in your organization, only one application trusted to touch primary credentials?

Delete Your Login Forms

Webapps No Longer Touch Passwords

Adversary Compromises Only Single Apps

Webapps No Longer Touch Passwords

Provided Authentication Handlers LDAP Fast bind Search and bind Active Directory LDAP Kerberos (JAAS) JAAS JDBC RADIUS SPNEGO Trusted X.509 certificates Writing a custom authentication handler is easy

LDAP

Fast bind

Search and bind

Active Directory

LDAP

Kerberos (JAAS)

JAAS

JDBC

RADIUS

SPNEGO

Trusted

X.509 certificates

Writing a custom authentication handler is easy

What About Portals? Need to go get interesting content from different systems. E-mail Calendar E-Learning Student Information System

Need to go get interesting content from different systems.

E-mail

Calendar

E-Learning

Student Information System

Password Replay Portal Password-Protected Service Password-Protected Service Password-Protected Service Channel Channel Channel PW PW PW PW PW PW PW PW PW PW PW

Look Ma, No Password! Without a password to replay, how am I going to authenticate my portal to other applications? ?

Without a password to replay, how am I going to authenticate my portal to other applications?

“ Proxy” CAS Some Web applications “proxy” authentication to backing services on behalf of the user “ Proxied” applications/services may themselves proxy authentication to others CAS authenticates both the end user and the proxy

Some Web applications “proxy” authentication to backing services on behalf of the user

“ Proxied” applications/services may themselves proxy authentication to others

CAS authenticates both the end user and the proxy

CAS – More than Authentication Return attributes of logged on users Adding support for standards OpenID SAML Single Sign-Out RESTful API Support for clustering Services management Remember me (long-term SSO)

Return attributes of logged on users

Adding support for standards

OpenID

SAML

Single Sign-Out

RESTful API

Support for clustering

Services management

Remember me (long-term SSO)

Unicon Services for CAS Implementation Planning Branding and User Experience Installation and Configuration Custom Development Consulting and Mentoring CASification of uPortal, Sakai, and other applications Upgrades For more information, please visit http://www.unicon.net/services/cas

Implementation Planning

Branding and User Experience

Installation and Configuration

Custom Development

Consulting and Mentoring

CASification of uPortal, Sakai, and other applications

Upgrades

For more information, please visit

http://www.unicon.net/services/cas

Questions? Andrew Petro [email_address] www.unicon.net