SlideShare a Scribd company logo

Identity Management Overview: CAS and Shibboleth

Andrew Petro
Andrew Petro

This document provides an overview of the CAS (Central Authentication Service) and Shibboleth identity management systems. It describes CAS as an open source single sign-on system that allows web applications to avoid storing user passwords by redirecting authentication to a central service. Shibboleth is described as enterprise federated identity software based on SAML standards that allows secure sharing of user attributes between identity providers and service providers across security domains. The document also summarizes Unicon's consulting services for implementing and customizing CAS and Shibboleth identity solutions.

1 of 35
Download to read offline
Identity Management Overview CAS and Shibboleth Andrew Petro, Unicon John Lewis, Unicon Adam Dolby, VASCO 15 December 2009 Copyright Unicon, Inc., 2009. Some Rights Reserved. This work is licensed under a Creative Commons Attribution NonCommercial Share Alike 3.0 United States License. http://creativecommons.org/licenses/by-nc-sa/3.0/us/ Some content drawn from prior presentations at Jasig conferences.
About Unicon IT Consulting Services for Education, Specializing in Open Source IT Consulting Services • Technology Delivery and Support • Systems Integration • Software Engineering Open Source Technology Solutions • Enterprise Portal • Identity Management • Learning Management • Email and Collaboration For more information about Unicon, please visit: http://www.unicon.net Contact us at: 480-558-2400 or info@unicon.net
Jasig CAS in 15 Minutes Andrew Petro Unicon, Inc. See also http://www.unicon.net/blog/3/ten_minute_cas_intro
What is CAS? open source single sign on for the Web
Multi-Sign-On for the Web
At Least with One Username/Password?
All Applications Touch Passwords
Any Compromise Leaks Primary Credentials
Adversary Then Can Run Wild
The Solution • What if there were only one login form in your organization, only one application trusted to touch primary credentials?
Delete Your Login Forms
Webapps No Longer Touch Passwords
Adversary Compromises Only Single Apps
Webapps No Longer Touch Passwords
Provided Authentication Handlers • LDAP • RADIUS – Fast bind • SPNEGO – Search and bind • Trusted • Active Directory • X.509 certificates – LDAP • Writing a custom – Kerberos (JAAS) authentication handler is easy • JAAS • JDBC
What About Portals? Need to go get interesting content from different systems. •E-mail •Calendar •E-Learning •Student Information System
Password Replay Password- PW Protected Service PW PW PW Channel PW Password- PW PW Protected Channel Service PW PW PW Password- Portal Channel Protected Service PW
Look Ma, No Password! • Without a password to replay, how am I going ? to authenticate my portal to other applications?
“Proxy” CAS • Some Web applications “proxy” authentication to backing services on behalf of the user • “Proxied” applications/services may themselves proxy authentication to others • CAS authenticates both the end user and the proxy
CAS – More than Authentication • Return attributes of logged on users • Adding support for standards – OpenID – SAML • Single Sign-Out • RESTful API • Support for clustering • Services management • Remember me (long-term SSO)
CAS Integration Libraries • Java • Drupal module • Spring Security • uPortal • PHP • Liferay • Apache Module • Sakai • ASP • TikiWiki • Python • ... • Ruby • ...
Unicon Services for CAS • Implementation Planning • Branding and User Experience • Installation and Configuration • Custom Development • Consulting and Mentoring • CASification of uPortal, Sakai, and other applications • Upgrades For more information, please visit http://www.unicon.net/services/cas
Questions? Andrew Petro apetro@unicon.net www.unicon.net
Shibboleth & Federated Identities 25
Shibboleth  Enterprise federated identity software − Based on standards (principally SAML) − Extensive architectural work to integrate with existing systems − Designed for deployment by communities  Most widely used in education, government  Broadly adopted in Europe  2.0 release implements SAML 2 − Backward compatible with 1.3
Shibboleth Project  Free & Open Source − Apache 2.0 license  Enterprise and Federation oriented  Started 2000 with first released code in 2003  Excellent community support − http://shibboleth.internet2.edu − shibboleth-announce@internet2.edu
Why Federated Identity?  Authoritative information − Users, privileges, attributes  Improved security − Fewer user accounts in the world  Privacy when needed − Fine control over attribute sharing  Saves time & money − Less work administrating users
What Is SAML?  Security Assertion Markup Language (SAML)  XML-based Open Standard  Exchange authentication and authorization data between security domains − Identity Provider (a producer of assertions) − Service Provider (a consumer of assertions)  Approved by OASIS Security Services − SAML 1.0 November 2002 − SAML 2.0 March 2005
Major SAML Applications  Proquest  Microsoft DreamSpark  Project MUSE  Moodle, Joomla, Drupal  Thomson Gale  JSTOR, ArtSTOR, OCLC  Elsevier ScienceDirect  Blackboard & WebCT  Google Apps  WebAssign & TurnItIn  ExLibris MetaLib  MediaWiki / Confluence  Sakai & Moodle  uPortal  National Institutes of Health  DSpace, Fedora  National Digital Science Library  Ovid
How Federated Identity Works  A user tries to access a protected application  The user tells the application where it’s from  The user logs in at home  Home tells the application about the user  The user is rejected or accepted
32
Role of a Federation  Agreed upon Attribute Definitions − Group, Role, Unique Identifier, Courses, …  Criteria for IdM & IdP practices − user accounts, credentialing, personal information stewardship, interoperability standards, technologies, ...  Digital Certificates  Trusted “notary” for all members  Not needed for Federated IdM, but does make things even easier
InCommon Federation  Federation for U.S. Higher Education & Research (and Partners)  Over Three Million Users  163 Organizations  Self-organizing & Heterogeneous  Policy Entrance bar intentionally set low  Doesn’t impose lots of rules and standards  http://www.incommonfederation.org/
Questions? John Lewis jlewis@unicon.net www.unicon.net

Recommended

Authentication and Single Sing on
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing onguest648519
 
Jasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesJasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten Minutes
Andrew Petro
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
Artur Barseghyan
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Craig Dickson
 
CAS Enhancement
CAS EnhancementCAS Enhancement
CAS EnhancementGuo Albert
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-Onelliando dias
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy Management
Manish Harsh
 
SINGLE SIGN-ON
SINGLE SIGN-ONSINGLE SIGN-ON
SINGLE SIGN-ONShambhavi Sahay
 

Recommended

Authentication and Single Sing on
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing onguest648519
 
Jasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesJasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten Minutes
Andrew Petro
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
Artur Barseghyan
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Craig Dickson
 
CAS Enhancement
CAS EnhancementCAS Enhancement
CAS EnhancementGuo Albert
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-Onelliando dias
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy Management
Manish Harsh
 
SINGLE SIGN-ON
SINGLE SIGN-ONSINGLE SIGN-ON
SINGLE SIGN-ONShambhavi Sahay
 
Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?
Đỗ Duy Trung
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
pigorcraveiro
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
Marco Morana
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
Dan Brinkmann
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
J V
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
Mika Koivisto
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLink
JBUG London
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloud
Nagraj Rao
 
SAML and Liferay
SAML and LiferaySAML and Liferay
SAML and Liferay
Mika Koivisto
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
Mike Schwartz
 
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010 SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
Michael Noel
 
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
Michael Noel
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
Shivanand Arur
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With Picketlink
Anil Saldanha
 
Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On Considerations
Venkat Gattamaneni
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
Masoud Kalali
 
SSO introduction
SSO introductionSSO introduction
SSO introduction
Aidy Tificate
 
Real World Identity Managment
Real World Identity ManagmentReal World Identity Managment
Real World Identity Managment
John Lewis
 
Portal as UI of SOA
Portal as UI of SOAPortal as UI of SOA
Portal as UI of SOA
Andrew Petro
 

More Related Content

What's hot

Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?
Đỗ Duy Trung
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
pigorcraveiro
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
Marco Morana
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
Dan Brinkmann
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
J V
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
Mika Koivisto
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLink
JBUG London
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloud
Nagraj Rao
 
SAML and Liferay
SAML and LiferaySAML and Liferay
SAML and Liferay
Mika Koivisto
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
Mike Schwartz
 
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010 SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
Michael Noel
 
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
Michael Noel
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
Shivanand Arur
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With Picketlink
Anil Saldanha
 
Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On Considerations
Venkat Gattamaneni
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
Masoud Kalali
 
SSO introduction
SSO introductionSSO introduction
SSO introduction
Aidy Tificate
 

What's hot (20)

Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSO
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLink
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloud
 
SAML and Liferay
SAML and LiferaySAML and Liferay
SAML and Liferay
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
 
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010 SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
 
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With Picketlink
 
Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On Considerations
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
 
SSO introduction
SSO introductionSSO introduction
SSO introduction
 

Similar to Identity Management Overview: CAS and Shibboleth

Real World Identity Managment
Real World Identity ManagmentReal World Identity Managment
Real World Identity Managment
John Lewis
 
Portal as UI of SOA
Portal as UI of SOAPortal as UI of SOA
Portal as UI of SOA
Andrew Petro
 
Shibboleth Guided Tour Webinar
Shibboleth Guided Tour WebinarShibboleth Guided Tour Webinar
Shibboleth Guided Tour Webinar
John Lewis
 
Eunis federation2
Eunis federation2Eunis federation2
Eunis federation2HEAnet
 
TechFuse 2012: Cloud and Mobile Computing
TechFuse 2012: Cloud and Mobile ComputingTechFuse 2012: Cloud and Mobile Computing
TechFuse 2012: Cloud and Mobile Computing
Avtex
 
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and ShibbolethCANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
Chris Phillips
 
WSO2Con US 2013 - The Integration Game Changer: WSO2 Integration Cloud
WSO2Con US 2013 - The Integration Game Changer: WSO2 Integration CloudWSO2Con US 2013 - The Integration Game Changer: WSO2 Integration Cloud
WSO2Con US 2013 - The Integration Game Changer: WSO2 Integration CloudWSO2
 
WSO2Con 2013 - The Integration Game Changer: WSO2 Integration Cloud
WSO2Con 2013 - The Integration Game Changer: WSO2 Integration CloudWSO2Con 2013 - The Integration Game Changer: WSO2 Integration Cloud
WSO2Con 2013 - The Integration Game Changer: WSO2 Integration CloudAfkham Azeez
 
Acquia Business Mandate Deck Final
Acquia Business Mandate Deck FinalAcquia Business Mandate Deck Final
Acquia Business Mandate Deck Final
Acquia
 
Building and packaging highly scalable services for maximum market penetratio...
Building and packaging highly scalable services for maximum market penetratio...Building and packaging highly scalable services for maximum market penetratio...
Building and packaging highly scalable services for maximum market penetratio...Ontico
 
Trusting External Identity Providers for Global Research Collaborations
Trusting External Identity Providers for Global Research CollaborationsTrusting External Identity Providers for Global Research Collaborations
Trusting External Identity Providers for Global Research Collaborations
jbasney
 
Enterprise Content Sharing Bots & AI
Enterprise Content Sharing Bots & AIEnterprise Content Sharing Bots & AI
Enterprise Content Sharing Bots & AI
Sam Fernando
 
VanyaSehgal_Resume
VanyaSehgal_ResumeVanyaSehgal_Resume
VanyaSehgal_ResumeVANYA SEHGAL
 
Challenges In Building Enterprise Mashups - Rick B
Challenges In Building Enterprise Mashups - Rick BChallenges In Building Enterprise Mashups - Rick B
Challenges In Building Enterprise Mashups - Rick BRoopa Nadkarni
 
5 challenges in_building_enterprise_mashups-rick_b
5 challenges in_building_enterprise_mashups-rick_b5 challenges in_building_enterprise_mashups-rick_b
5 challenges in_building_enterprise_mashups-rick_bIBM
 
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interestCANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
Chris Phillips
 
Web 2.0 in the Enterprise
Web 2.0 in the EnterpriseWeb 2.0 in the Enterprise
Web 2.0 in the EnterpriseUfuk Kılıç
 
Alex Wade, Digital Library Interoperability
Alex Wade, Digital Library InteroperabilityAlex Wade, Digital Library Interoperability
Alex Wade, Digital Library Interoperability
parker01
 
Learning Forum London 2010 - Summary for CAPLA 2010
Learning Forum London 2010 - Summary for CAPLA 2010Learning Forum London 2010 - Summary for CAPLA 2010
Learning Forum London 2010 - Summary for CAPLA 2010
Don Presant
 
University of Glasgow Eduserv Event Sharepoint
University of Glasgow Eduserv Event SharepointUniversity of Glasgow Eduserv Event Sharepoint
University of Glasgow Eduserv Event Sharepoint
Diane Montgomery
 

Similar to Identity Management Overview: CAS and Shibboleth (20)

Real World Identity Managment
Real World Identity ManagmentReal World Identity Managment
Real World Identity Managment
 
Portal as UI of SOA
Portal as UI of SOAPortal as UI of SOA
Portal as UI of SOA
 
Shibboleth Guided Tour Webinar
Shibboleth Guided Tour WebinarShibboleth Guided Tour Webinar
Shibboleth Guided Tour Webinar
 
Eunis federation2
Eunis federation2Eunis federation2
Eunis federation2
 
TechFuse 2012: Cloud and Mobile Computing
TechFuse 2012: Cloud and Mobile ComputingTechFuse 2012: Cloud and Mobile Computing
TechFuse 2012: Cloud and Mobile Computing
 
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and ShibbolethCANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
 
WSO2Con US 2013 - The Integration Game Changer: WSO2 Integration Cloud
WSO2Con US 2013 - The Integration Game Changer: WSO2 Integration CloudWSO2Con US 2013 - The Integration Game Changer: WSO2 Integration Cloud
WSO2Con US 2013 - The Integration Game Changer: WSO2 Integration Cloud
 
WSO2Con 2013 - The Integration Game Changer: WSO2 Integration Cloud
WSO2Con 2013 - The Integration Game Changer: WSO2 Integration CloudWSO2Con 2013 - The Integration Game Changer: WSO2 Integration Cloud
WSO2Con 2013 - The Integration Game Changer: WSO2 Integration Cloud
 
Acquia Business Mandate Deck Final
Acquia Business Mandate Deck FinalAcquia Business Mandate Deck Final
Acquia Business Mandate Deck Final
 
Building and packaging highly scalable services for maximum market penetratio...
Building and packaging highly scalable services for maximum market penetratio...Building and packaging highly scalable services for maximum market penetratio...
Building and packaging highly scalable services for maximum market penetratio...
 
Trusting External Identity Providers for Global Research Collaborations
Trusting External Identity Providers for Global Research CollaborationsTrusting External Identity Providers for Global Research Collaborations
Trusting External Identity Providers for Global Research Collaborations
 
Enterprise Content Sharing Bots & AI
Enterprise Content Sharing Bots & AIEnterprise Content Sharing Bots & AI
Enterprise Content Sharing Bots & AI
 
VanyaSehgal_Resume
VanyaSehgal_ResumeVanyaSehgal_Resume
VanyaSehgal_Resume
 
Challenges In Building Enterprise Mashups - Rick B
Challenges In Building Enterprise Mashups - Rick BChallenges In Building Enterprise Mashups - Rick B
Challenges In Building Enterprise Mashups - Rick B
 
5 challenges in_building_enterprise_mashups-rick_b
5 challenges in_building_enterprise_mashups-rick_b5 challenges in_building_enterprise_mashups-rick_b
5 challenges in_building_enterprise_mashups-rick_b
 
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interestCANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
 
Web 2.0 in the Enterprise
Web 2.0 in the EnterpriseWeb 2.0 in the Enterprise
Web 2.0 in the Enterprise
 
Alex Wade, Digital Library Interoperability
Alex Wade, Digital Library InteroperabilityAlex Wade, Digital Library Interoperability
Alex Wade, Digital Library Interoperability
 
Learning Forum London 2010 - Summary for CAPLA 2010
Learning Forum London 2010 - Summary for CAPLA 2010Learning Forum London 2010 - Summary for CAPLA 2010
Learning Forum London 2010 - Summary for CAPLA 2010
 
University of Glasgow Eduserv Event Sharepoint
University of Glasgow Eduserv Event SharepointUniversity of Glasgow Eduserv Event Sharepoint
University of Glasgow Eduserv Event Sharepoint
 

Recently uploaded

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 

Recently uploaded (20)

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 

Identity Management Overview: CAS and Shibboleth

  • 1. Identity Management Overview CAS and Shibboleth Andrew Petro, Unicon John Lewis, Unicon Adam Dolby, VASCO 15 December 2009 Copyright Unicon, Inc., 2009. Some Rights Reserved. This work is licensed under a Creative Commons Attribution NonCommercial Share Alike 3.0 United States License. http://creativecommons.org/licenses/by-nc-sa/3.0/us/ Some content drawn from prior presentations at Jasig conferences.
  • 2. About Unicon IT Consulting Services for Education, Specializing in Open Source IT Consulting Services • Technology Delivery and Support • Systems Integration • Software Engineering Open Source Technology Solutions • Enterprise Portal • Identity Management • Learning Management • Email and Collaboration For more information about Unicon, please visit: http://www.unicon.net Contact us at: 480-558-2400 or info@unicon.net
  • 3. Jasig CAS in 15 Minutes Andrew Petro Unicon, Inc. See also http://www.unicon.net/blog/3/ten_minute_cas_intro
  • 4. What is CAS? open source single sign on for the Web
  • 6. At Least with One Username/Password?
  • 8. Any Compromise Leaks Primary Credentials
  • 10. The Solution • What if there were only one login form in your organization, only one application trusted to touch primary credentials?
  • 12. Webapps No Longer Touch Passwords
  • 14.
  • 15. Webapps No Longer Touch Passwords
  • 16. Provided Authentication Handlers • LDAP • RADIUS – Fast bind • SPNEGO – Search and bind • Trusted • Active Directory • X.509 certificates – LDAP • Writing a custom – Kerberos (JAAS) authentication handler is easy • JAAS • JDBC
  • 17. What About Portals? Need to go get interesting content from different systems. •E-mail •Calendar •E-Learning •Student Information System
  • 18. Password Replay Password- PW Protected Service PW PW PW Channel PW Password- PW PW Protected Channel Service PW PW PW Password- Portal Channel Protected Service PW
  • 19. Look Ma, No Password! • Without a password to replay, how am I going ? to authenticate my portal to other applications?
  • 20. “Proxy” CAS • Some Web applications “proxy” authentication to backing services on behalf of the user • “Proxied” applications/services may themselves proxy authentication to others • CAS authenticates both the end user and the proxy
  • 21. CAS – More than Authentication • Return attributes of logged on users • Adding support for standards – OpenID – SAML • Single Sign-Out • RESTful API • Support for clustering • Services management • Remember me (long-term SSO)
  • 22. CAS Integration Libraries • Java • Drupal module • Spring Security • uPortal • PHP • Liferay • Apache Module • Sakai • ASP • TikiWiki • Python • ... • Ruby • ...
  • 23. Unicon Services for CAS • Implementation Planning • Branding and User Experience • Installation and Configuration • Custom Development • Consulting and Mentoring • CASification of uPortal, Sakai, and other applications • Upgrades For more information, please visit http://www.unicon.net/services/cas
  • 24. Questions? Andrew Petro apetro@unicon.net www.unicon.net
  • 26. Shibboleth  Enterprise federated identity software − Based on standards (principally SAML) − Extensive architectural work to integrate with existing systems − Designed for deployment by communities  Most widely used in education, government  Broadly adopted in Europe  2.0 release implements SAML 2 − Backward compatible with 1.3
  • 27. Shibboleth Project  Free & Open Source − Apache 2.0 license  Enterprise and Federation oriented  Started 2000 with first released code in 2003  Excellent community support − http://shibboleth.internet2.edu − shibboleth-announce@internet2.edu
  • 28. Why Federated Identity?  Authoritative information − Users, privileges, attributes  Improved security − Fewer user accounts in the world  Privacy when needed − Fine control over attribute sharing  Saves time & money − Less work administrating users
  • 29. What Is SAML?  Security Assertion Markup Language (SAML)  XML-based Open Standard  Exchange authentication and authorization data between security domains − Identity Provider (a producer of assertions) − Service Provider (a consumer of assertions)  Approved by OASIS Security Services − SAML 1.0 November 2002 − SAML 2.0 March 2005
  • 30. Major SAML Applications  Proquest  Microsoft DreamSpark  Project MUSE  Moodle, Joomla, Drupal  Thomson Gale  JSTOR, ArtSTOR, OCLC  Elsevier ScienceDirect  Blackboard & WebCT  Google Apps  WebAssign & TurnItIn  ExLibris MetaLib  MediaWiki / Confluence  Sakai & Moodle  uPortal  National Institutes of Health  DSpace, Fedora  National Digital Science Library  Ovid
  • 31. How Federated Identity Works  A user tries to access a protected application  The user tells the application where it’s from  The user logs in at home  Home tells the application about the user  The user is rejected or accepted
  • 32. 32
  • 33. Role of a Federation  Agreed upon Attribute Definitions − Group, Role, Unique Identifier, Courses, …  Criteria for IdM & IdP practices − user accounts, credentialing, personal information stewardship, interoperability standards, technologies, ...  Digital Certificates  Trusted “notary” for all members  Not needed for Federated IdM, but does make things even easier
  • 34. InCommon Federation  Federation for U.S. Higher Education & Research (and Partners)  Over Three Million Users  163 Organizations  Self-organizing & Heterogeneous  Policy Entrance bar intentionally set low  Doesn’t impose lots of rules and standards  http://www.incommonfederation.org/
  • 35. Questions? John Lewis jlewis@unicon.net www.unicon.net