UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale...
-
date post
20-Dec-2015 -
Category
Documents
-
view
219 -
download
0
Transcript of UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale...
![Page 1: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/1.jpg)
uPortal and the Yale Central uPortal and the Yale Central Authentication ServiceAuthentication Service
Drew MazurekDrew Mazurek
ITS Technology & PlanningITS Technology & Planning
Yale UniversityYale University
JA-SIG Summer Conference ‘04
Denver, CO
June 21, 2004
![Page 2: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/2.jpg)
What’s coming up…What’s coming up…
CAS overviewCAS overview
n-tier authentication problemn-tier authentication problem
uPortal and CAS integrationuPortal and CAS integration
CAS channel examplesCAS channel examples
QuestionsQuestions
DiscussionDiscussion
![Page 3: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/3.jpg)
CAS in a nutshellCAS in a nutshell
BrowserWeb application
Authenticateswithout sending password
Authenticates
via password (once)
Determinesvalidity of user’sclaimedauthentication
![Page 4: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/4.jpg)
How CAS WorksHow CAS Works
Webapplication
CAS
Webbrowser
S
C
T
S T
NetID
![Page 5: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/5.jpg)
n-tier authentication problemn-tier authentication problem
Portal
Channel
![Page 6: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/6.jpg)
n-tier authentication problemn-tier authentication problem
Portal
Channel
Channel
Channel
Password-protectedservice
Password-protectedservice
Password-protectedservice
PWPW
PWPW
PWPW
PWPW
PWPW
PWPW
PWPW
PWPW
PWPW
PWPW
PWPW
Password caching
![Page 7: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/7.jpg)
n-tier authentication problemn-tier authentication problem
uPortal can authenticate users securely uPortal can authenticate users securely with CASwith CAS
But it does not know about users’ primary But it does not know about users’ primary credentialscredentials
This is a good thing, except uPortal can’t This is a good thing, except uPortal can’t impersonate the user in order to acquire impersonate the user in order to acquire secure data for the usersecure data for the user
![Page 8: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/8.jpg)
CAS 2.0: Proxy CASCAS 2.0: Proxy CAS
Webapplication
CAS
Webbrowser
S
C
ST
S T
NetID
PGTURL
PGTIOU
PGTIOUPGT
https listener•
![Page 9: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/9.jpg)
CAS 2.0: Proxy CASCAS 2.0: Proxy CAS
Webapplication
CAS
Webbrowser
Back-endapplication
S PGT
PT
PTPT S
NetID
PGTURL
Data
![Page 10: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/10.jpg)
CAS Security ProviderCAS Security Provider
Uses CAS for primary authenticationUses CAS for primary authenticationUses the CAS ProxyTicketReceptor Uses the CAS ProxyTicketReceptor
servlet included with CAS Client servlet included with CAS Client distributiondistribution
Exposes a public method to channels to Exposes a public method to channels to get a proxy ticket for a particular serviceget a proxy ticket for a particular service
Back-end systems must be configured to Back-end systems must be configured to accept and validate proxy credentials from accept and validate proxy credentials from uPortaluPortal
![Page 11: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/11.jpg)
uPortal withuPortal withCAS ProviderCAS Provider
CAS
T
Channelresource
PGT IOU
PGT
PT
PT
PT
-Username
-Identity of proxy (portal)
CAS SecurityContext
Channel
getProxyTicket(pgtIou,service)
CASTicketReceptorServlet
getCasServiceToken
PGT
PT
PT
PT
PGTURL
PGT IOU
![Page 12: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/12.jpg)
CAS, uPortal, and other CAS, uPortal, and other applications at Yaleapplications at Yale
Simple service-ticket authenticationSimple service-ticket authentication IMP webmailIMP webmailEmail Account Configuration ToolEmail Account Configuration Tool
Single-tier proxy-ticket authenticationSingle-tier proxy-ticket authenticationMeeting MakerMeeting Maker
Multi-tier proxy-ticket authenticationMulti-tier proxy-ticket authenticationRecent Email ChannelRecent Email Channel
![Page 13: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/13.jpg)
IMP WebmailIMP Webmail
https://www.mail.yale.edu:8444/horde/imp/redirect_cas.php?url=mailbox.php%3Dview_message
%3F97552
![Page 14: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/14.jpg)
IMP WebmailIMP Webmail
![Page 15: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/15.jpg)
IMP WebmailIMP Webmail
1.1. User clicks on link in Recent Email User clicks on link in Recent Email channelchannel
![Page 16: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/16.jpg)
IMP WebmailIMP Webmail
1.1. User clicks on link in Recent Email User clicks on link in Recent Email channelchannel
2.2. New browser window opens, going to New browser window opens, going to https://www.mail.yale.edu:8444/horde https://www.mail.yale.edu:8444/horde /imp/redirect_cas.php?url=mailbox.php/imp/redirect_cas.php?url=mailbox.php%3Fview_message%3D97552%3Fview_message%3D97552
![Page 17: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/17.jpg)
IMP WebmailIMP Webmail
1.1. User clicks on link in Recent Email User clicks on link in Recent Email channelchannel
2.2. New browser window opens, going to New browser window opens, going to https://www.mail.yale.edu:8444/horde https://www.mail.yale.edu:8444/horde /imp/redirect_cas.php?url=mailbox.php/imp/redirect_cas.php?url=mailbox.php%3Fview_message%3D97552%3Fview_message%3D97552
3.3. IMP stores destination URL/message as IMP stores destination URL/message as session variable, and redirects the session variable, and redirects the browser to CASbrowser to CAS
![Page 18: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/18.jpg)
IMP WebmailIMP Webmail
4.4. Upon return from CAS, IMP validates Upon return from CAS, IMP validates CAS CAS service ticketservice ticket and then shows the and then shows the requested email messagerequested email message
![Page 19: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/19.jpg)
IMP WebmailIMP Webmail
4.4. Upon return from CAS, IMP validates Upon return from CAS, IMP validates CAS CAS service ticketservice ticket and then shows the and then shows the requested email messagerequested email message
But how is the user authenticated to the But how is the user authenticated to the IMAP server?IMAP server?
![Page 20: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/20.jpg)
IMP WebmailIMP Webmail
4.4. Upon return from CAS, IMP validates Upon return from CAS, IMP validates CAS CAS service ticketservice ticket and then shows the and then shows the requested email messagerequested email message
But how is the user authenticated to the But how is the user authenticated to the IMAP server?IMAP server?
IMP normally wants to replay cached IMP normally wants to replay cached primary credentialsprimary credentials
![Page 21: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/21.jpg)
IMP Webmail – CAS PAM moduleIMP Webmail – CAS PAM module
IMP CAS
STIMAP serverCAS PAM
modulePGT
PGT
PT
PT
PT
- NetID
- IMP’s proxy callback URL (unique ID)
![Page 22: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/22.jpg)
Email Account Configuration ToolEmail Account Configuration Tool
Configures aspects of Yale email accounts Configures aspects of Yale email accounts including mail forwarding, filtering, and including mail forwarding, filtering, and spam managementspam management
CASified one year agoCASified one year ago
![Page 23: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/23.jpg)
Email Account Configuration ToolEmail Account Configuration Tool
Linked in uPortal as:Linked in uPortal as:
https://secure.its.yale.edu/cas/login ?https://secure.its.yale.edu/cas/login ?service=https://config.mail.yale.edu service=https://config.mail.yale.edu /account-tool/main/account-tool/main
![Page 24: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/24.jpg)
Email Account Configuration ToolEmail Account Configuration Tool
Linked in uPortal as:Linked in uPortal as:
https://secure.its.yale.edu/cas/login ?https://secure.its.yale.edu/cas/login ?service=https://config.mail.yale.edu service=https://config.mail.yale.edu /account-tool/main/account-tool/main
Simple service ticket-only authenticationSimple service ticket-only authentication
![Page 25: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/25.jpg)
Email Account Configuration ToolEmail Account Configuration Tool
Linked in uPortal as:Linked in uPortal as:
https://secure.its.yale.edu/cas/login ?https://secure.its.yale.edu/cas/login ?service=https://config.mail.yale.edu service=https://config.mail.yale.edu /account-tool/main/account-tool/main
Simple service ticket-only authenticationSimple service ticket-only authenticationTakes advantage of single sign-onTakes advantage of single sign-on
![Page 26: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/26.jpg)
Email Account Configuration ToolEmail Account Configuration Tool
https://secure.its.yale.edu/cas/login?service= https://secure.its.yale.edu/cas/login?service= https://config.mail.yale.edu/account-tool/main https://config.mail.yale.edu/account-tool/main
![Page 27: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/27.jpg)
Email Account Configuration ToolEmail Account Configuration Tool
![Page 28: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/28.jpg)
Meeting MakerMeeting Maker
![Page 29: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/29.jpg)
Meeting MakerMeeting Maker
Meeting Maker, Inc. provides a Java API Meeting Maker, Inc. provides a Java API to access calendaring datato access calendaring data
A Java servlet uses the API to retrieve A Java servlet uses the API to retrieve data and provide an XML feed to the portaldata and provide an XML feed to the portal
The servlet doesn’t know about the user’s The servlet doesn’t know about the user’s MM password – it uses a master MM MM password – it uses a master MM server password to access the dataserver password to access the data
![Page 30: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/30.jpg)
Meeting MakerMeeting Maker
MeetingMakerServlet
uPortalMeetingMakerServer XML
MM admin PW
CAS
PT
PT S
NetID
ProxyID
NetID
MM data
PT
PGT
S
![Page 31: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/31.jpg)
Meeting MakerMeeting Maker
Channel authentication performed through Channel authentication performed through CAS Java Servlet filter (included in CAS CAS Java Servlet filter (included in CAS client library)client library)
uPortal’s CAS proxy callback URL uPortal’s CAS proxy callback URL configured in web application’s configured in web application’s deployment descriptor:deployment descriptor:
<init-param><init-param> <param-name>edu.yale.its.tp.cas.client.filter.authorizedProxy</param-name><param-name>edu.yale.its.tp.cas.client.filter.authorizedProxy</param-name> <param-value>https://portal.yale.edu/CasProxyServlet</param-value><param-value>https://portal.yale.edu/CasProxyServlet</param-value></init-param></init-param>
![Page 32: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/32.jpg)
Recent Email ChannelRecent Email Channel
![Page 33: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/33.jpg)
Recent Email ChannelRecent Email Channel
Displays 10 most recent email messagesDisplays 10 most recent email messagesMulti-tier CAS proxy authenticationMulti-tier CAS proxy authenticationSame design as Meeting MakerSame design as Meeting Maker
servlet pulls data from back-end source, servlet pulls data from back-end source, returns as XMLreturns as XML
Different authentication from MMDifferent authentication from MM IMAP server accepts CAS proxy tickets and IMAP server accepts CAS proxy tickets and
validates them with the CAS PAM modulevalidates them with the CAS PAM module
![Page 34: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/34.jpg)
Recent Email ChannelRecent Email Channel
EmailServlet uPortal
IMAPServer
CAS
PT
PGT
S
![Page 35: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/35.jpg)
Recent Email ChannelRecent Email Channel
EmailServlet uPortal
IMAPServer
CAS
PT
PT
NetIDProxyID
S
PGTURL
PGTIOUPGT
![Page 36: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/36.jpg)
Recent Email ChannelRecent Email Channel
EmailServlet uPortal
IMAPServer
XML
CAS
PGT
PT
NetID
IMAP session
S
PT
PT
NetID
ProxyIDs
![Page 37: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/37.jpg)
Recent Email ChannelRecent Email Channel
Can’t use CAS filter because it must Can’t use CAS filter because it must obtain proxy tickets to pass to IMAPobtain proxy tickets to pass to IMAP
Uses the CAS ProxyTicketValidator for Uses the CAS ProxyTicketValidator for authentication (included with CAS client authentication (included with CAS client library)library)getProxyTicket()getProxyTicket()
Current beta of CAS filter provides support Current beta of CAS filter provides support for acquiring proxy ticketsfor acquiring proxy tickets
![Page 38: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/38.jpg)
SummarySummary
Simple CAS authenticationSimple CAS authentication
n-tier authentication problemn-tier authentication problem
CAS’s solution: Proxy CASCAS’s solution: Proxy CAS
uPortal and CAS Security ProvideruPortal and CAS Security Provider
![Page 39: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/39.jpg)
SummarySummary
uPortal, CAS, and other applicationsuPortal, CAS, and other applicationsSimple service ticket authenticationSimple service ticket authentication
IMP WebmailIMP WebmailEmail Account Configuration ToolEmail Account Configuration Tool
Single-layer proxy ticket authenticationSingle-layer proxy ticket authenticationMeeting MakerMeeting Maker
Multi-layer proxy ticket authenticationMulti-layer proxy ticket authenticationRecent Email ChannelRecent Email Channel
![Page 40: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/40.jpg)
Questions?Questions?
![Page 41: UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d485503460f94a23767/html5/thumbnails/41.jpg)
For more informationFor more information
Drew Mazurek <[email protected]>Drew Mazurek <[email protected]> CAS Web SiteCAS Web Site
http://www.yale.edu/tp/cashttp://www.yale.edu/tp/cas CAS Mailing ListCAS Mailing List
[email protected]@tp.its.yale.eduhttp://tp.its.yale.edu/mailman/listinfo/cashttp://tp.its.yale.edu/mailman/listinfo/cas
This presentationThis presentationhttp://www.yale.edu/tp/cas/cas-jasig-2004.ppthttp://www.yale.edu/tp/cas/cas-jasig-2004.ppthttp://www.yale.edu/tp/cas/cas-jasig-2004.htmhttp://www.yale.edu/tp/cas/cas-jasig-2004.htm