integration of n-tiers application using cas single sign ... · integration of n-tiers application...
TRANSCRIPT
EuroCAMP 8may2008
Jan Du Caju ICT security officer
K.U.Leuven Belgium
Integration of N-tiers application Using CAS Single Sign On system
with Horde webmail
EuroCAMP 8may2008
Integration of N-tiers application Using CAS Single Sign On system
with Horde webmail
context association K.U.Leuven N-tiers problem space Proxy CAS The gory details Future Conclusions
EuroCAMP 8may2008
Integration of N-tiers application Using CAS Single Sign On system
with Horde webmail
context association K.U.Leuven N-tiers problem space Proxy CAS The gory details Future Conclusions
EuroCAMP 8may2008
Introduction: context association K.U.Leuven!
educational landscape reflects political situation
association K.U.Leuven 1 university and 12 schools of higher education
Need for resource sharing 2004: Shibboleth for institutional and inter-institutional web resources
EuroCAMP 8may2008
Introduction: context association K.U.Leuven!
Every institution of association K.U.Leuven has its own central AAI (Authentication and Authorization Infrastructure incl. Shibboleth IdP and CAS)
Resources e-learning: Blackboard and other coupled education apps library: Ex Libris, and access to scientific papers, publications and databases work place context: intranet, webmail, groupware and inter-institutional offers research context: HPC et al administrative and organizational context: SAP
Federations K.U.Leuven (institutional) Association K.U.Leuven K.U.Leuven - UZLeuven (university hospital) Not yet :-\ a national federation at NREN level (Belnet)
EuroCAMP 8may2008
Integration of N-tiers application Using CAS Single Sign On system
with Horde webmail
context association K.U.Leuven N-tiers problem space Proxy CAS The gory details Future Conclusions
EuroCAMP 8may2008
N-tiers problem space!
browser webmail
imap server
uid pw
uid pw
EuroCAMP 8may2008
N-tiers problem space!
browser webmail
imap server
uid pw
uid pw
Goal - Password does not pass application - Secure (no caching of passwords, ...) - Single Sign-On
EuroCAMP 8may2008
Originally open-source WebISO developed by Yale University JA-SIG project since December 2004
Loosely based on Kerberos passwords are replaced by tickets (≈ one-time
passwords)
Server: Java & Spring framework Client: lots of implementations and libraries
CAS !
EuroCAMP 8may2008
CAS !
browser webmail
imap server
CAS server
a trusted arbiter of authenticity
back-end service
proxy: service that wants to access other service on behalf of a particular user
EuroCAMP 8may2008
CAS !
browser webmail S1
imap server
CAS server
service S1=https://webmail.kuleuven.be
EuroCAMP 8may2008
CAS !
browser webmail
uid pw
ST TGC
S1
imap server
CAS server
service ticket ST Ticket Granting Cookie TGC
EuroCAMP 8may2008
CAS !
browser webmail
uid pw
ST TGC
S1
imap server
CAS server
verification of service ticket
EuroCAMP 8may2008
N-tiers problem space!
browser webmail
uid pw
S1
imap server
CAS server
?
ST TGC
EuroCAMP 8may2008
Integration of N-tiers application using CAS Single Sign On system
with Horde webmail
context association K.U.Leuven N-tiers problem space Proxy CAS The gory details Future Conclusions
EuroCAMP 8may2008
Proxy CAS !
browser webmail
uid pw
S1
imap server
CAS server
ST TGC additional: Proxy
Granting Ticket URL
EuroCAMP 8may2008
Proxy CAS !
browser webmail
uid pw
S1
imap server
CAS server
ST TGC
EuroCAMP 8may2008
Proxy CAS !
browser webmail
uid pw
S1
PGTIOU PGT imap
server CAS
server
PGT-URL
ST TGC
PGTIOU to correlate PGT with uid
EuroCAMP 8may2008
Proxy CAS !
browser webmail
uid pw
S1
PGTIOU PGT
S2 PGT
imap server
CAS server
ST TGC service S2=imap://imap.kuleuven.be
EuroCAMP 8may2008
Proxy CAS !
browser webmail
uid pw
S1
PGTIOU PGT
S2 PGT
PT imap
server CAS
server
ST TGC
Proxy Ticket
EuroCAMP 8may2008
Proxy CAS !
browser webmail
uid pw
S1
PGTIOU PGT
S2 PGT
PT
PT uid
imap server
CAS server
ST TGC
EuroCAMP 8may2008
Proxy CAS !
browser webmail
uid pw
S1
PGTIOU PGT
S2 PGT
PT
PT uid
S2 PT
imap server
CAS server
ST TGC
EuroCAMP 8may2008
Proxy CAS !
browser webmail
uid pw
S1
PGTIOU PGT
S2 PGT
PT
PT uid
S2 PT uid
imap server
CAS server
ST TGC
EuroCAMP 8may2008
Proxy CAS !
browser webmail
imap server
CAS server
uid pw
S1
PGTIOU PGT
S2 PGT
PT
PT uid
S2 PT uid
ST TGC
EuroCAMP 8may2008
Integration of N-tiers application using CAS Single Sign On system
with Horde webmail
context association K.U.Leuven N-tiers problem space Proxy CAS The gory details Future Conclusions
EuroCAMP 8may2008
The gory details!
browser webmail
imap server
PT uid
S2 PT uid
PAM_CAS
imap proxy
persistent imap
connection
php CAS
CAS server
EuroCAMP 8may2008
The gory details!imap server PAM_CAS: exchange of tickets with CAS server Horde IMP webmail server - standard: Apache, php, Horde IMP - imap proxy: keeps an persistent imap connection mostly implemented for performance but has the
additional advantage that there is no need for new PT (Proxy Ticket) for each request
- phpCAS client: exchange of tickets with CAS server - ESUP glue-code to let phpCAS client & Proxy CAS
communicate seamlessly with Horde IMP
EuroCAMP 8may2008
Integration of N-tiers application Using CAS Single Sign On system
with Horde webmail
context association K.U.Leuven N-tiers problem space Proxy CAS The gory details Future Conclusions
EuroCAMP 8may2008
Future
K.U.Leuven needs calendar functionality moving from imap to MS Exchange
Working proof-of-concept ADFS-enabled OWA (Outlook Web Access)
integrated with our Shibboleth IdP
Implementation: summer 2008
EuroCAMP 8may2008
Integration of N-tiers application Using CAS Single Sign On system
with Horde webmail
context association K.U.Leuven N-tiers problem space Proxy CAS The gory details Future Conclusions
EuroCAMP 8may2008
Conclusion
Philip Brusten http://shib.kuleuven.be Jan Van der Velpen (CAS http://kuleuven.be/english developper) http://associatie.kuleuven.be/eng
http://www.ja-sig.org/cas http://esup-portal.org
Credits URL’s
Integration of N-tiers applications - dependent on application - one possibility by means of Proxy CAS
References