Page 1
Identity Management OverviewCAS and Shibboleth
Andrew Petro, UniconJohn Lewis, Unicon
Adam Dolby, VASCO15 December 2009
Copyright Unicon, Inc., 2009. Some Rights Reserved.
This work is licensed under a Creative Commons Attribution NonCommercial Share Alike 3.0 United States License.
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
Some content drawn from prior presentations at Jasig conferences.
Page 2
About Unicon
IT Consulting Services for Education, Specializing in Open Source
IT Consulting Services
• Technology Delivery and Support
• Systems Integration
• Software Engineering
Open Source Technology Solutions
• Enterprise Portal
• Identity Management
• Learning Management
• Email and Collaboration
For more information about Unicon, please visit: http://www.unicon.net
Contact us at: 480-558-2400 or [email protected]
Page 3
Jasig CAS in 15 Minutes
Andrew PetroUnicon, Inc.
See alsohttp://www.unicon.net/blog/3/ten_minute_cas_intro
Page 4
What is CAS?
open source
single sign on
for the Web
Page 5
Multi-Sign-On for the Web
Page 6
At Least with One Username/Password?
Page 7
All Applications Touch Passwords
Page 8
Any Compromise Leaks Primary Credentials
Page 9
Adversary Then Can Run Wild
Page 10
The Solution
• What if there were only one login form in your
organization, only one application trusted to
touch primary credentials?
Page 11
Delete Your Login Forms
Page 12
Webapps No Longer Touch Passwords
Page 13
Adversary Compromises Only Single Apps
Page 15
Webapps No Longer Touch Passwords
Page 16
Provided Authentication Handlers
• LDAP
– Fast bind
– Search and bind
• Active Directory
– LDAP
– Kerberos (JAAS)
• JAAS
• JDBC
• RADIUS
• SPNEGO
• Trusted
• X.509 certificates
• Writing a custom authentication handler is easy
Page 17
What About Portals?
Need to go get interesting content from different systems.•E-mail
•Calendar
•E-Learning
•Student Information System
Page 18
Portal
Password Replay
Password-Protected Service
Password-Protected Service
Password-Protected Service
Channel
Channel
Channel
PW
PW
PW
PW
PW
PW
PW
PW
PW
PW
PW
Page 19
Look Ma, No Password!
• Without a password to replay, how am I going
to authenticate my portal to other
applications?
?
Page 20
“Proxy” CAS
• Some Web applications “proxy”
authentication to backing services on behalf
of the user
• “Proxied” applications/services may
themselves proxy authentication to others
• CAS authenticates both the end user and the
proxy
Page 21
CAS – More than Authentication
• Return attributes of logged on users
• Adding support for standards
– OpenID
– SAML
• Single Sign-Out
• RESTful API
• Support for clustering
• Services management
• Remember me (long-term SSO)
Page 22
CAS Integration Libraries
• Java
• Spring Security
• PHP
• Apache Module
• ASP
• Python
• Ruby
• ...
• Drupal module
• uPortal
• Liferay
• Sakai
• TikiWiki
• ...
Page 23
Unicon Services for CAS
• Implementation Planning
• Branding and User Experience
• Installation and Configuration
• Custom Development
• Consulting and Mentoring
• CASification of uPortal, Sakai, and other applications
• Upgrades
For more information, please visit
http://www.unicon.net/services/cas
Page 24
Andrew Petro
[email protected]
www.unicon.net
Questions?
Page 25
25
Shibboleth &Federated Identities
Page 26
Shibboleth
Enterprise federated identity software
− Based on standards (principally SAML)
− Extensive architectural work to integrate with existing systems
− Designed for deployment by communities
Most widely used in education, government
Broadly adopted in Europe
2.0 release implements SAML 2
− Backward compatible with 1.3
Page 27
Shibboleth Project
Free & Open Source
− Apache 2.0 license
Enterprise and Federation oriented
Started 2000 with first released code in 2003
Excellent community support
− http://shibboleth.internet2.edu
− [email protected]
Page 28
Why Federated Identity?
Authoritative information
− Users, privileges, attributes
Improved security
− Fewer user accounts in the world
Privacy when needed
− Fine control over attribute sharing
Saves time & money
− Less work administrating users
Page 29
What Is SAML?
Security Assertion Markup Language (SAML)
XML-based Open Standard
Exchange authentication and authorization data between
security domains
− Identity Provider (a producer of assertions)
− Service Provider (a consumer of assertions)
Approved by OASIS Security Services
− SAML 1.0 November 2002
− SAML 2.0 March 2005
Page 30
Major SAML Applications
Proquest
Project MUSE
Thomson Gale
Elsevier ScienceDirect
Google Apps
ExLibris MetaLib
Sakai & Moodle
uPortal
DSpace, Fedora
Ovid
Microsoft DreamSpark
Moodle, Joomla, Drupal
JSTOR, ArtSTOR, OCLC
Blackboard & WebCT
WebAssign & TurnItIn
MediaWiki / Confluence
National Institutes of Health
National Digital Science
Library
Page 31
How Federated Identity Works
A user tries to access a protected application
The user tells the application where it’s from
The user logs in at home
Home tells the application about the user
The user is rejected or accepted
Page 33
Role of a Federation
Agreed upon Attribute Definitions
− Group, Role, Unique Identifier, Courses, …
Criteria for IdM & IdP practices
− user accounts, credentialing, personal information
stewardship, interoperability standards, technologies, ...
Digital Certificates
Trusted “notary” for all members
Not needed for Federated IdM,
but does make things even easier
Page 34
InCommon Federation
Federation for U.S. Higher Education & Research
(and Partners)
Over Three Million Users
163 Organizations
Self-organizing & Heterogeneous
Policy Entrance bar intentionally set low
Doesn’t impose lots of rules and standards
http://www.incommonfederation.org/
Page 35
John Lewis
[email protected]
www.unicon.net
Questions?