View
14.630
Download
2
Category
Preview:
DESCRIPTION
Slide deck from CAS and Shibboleth portion of 15 December 2009 Unicon webinar on CAS, Shibboleth, and VASCO.
Citation preview
Identity Management OverviewCAS and Shibboleth
Andrew Petro, UniconJohn Lewis, Unicon
Adam Dolby, VASCO15 December 2009
Copyright Unicon, Inc., 2009. Some Rights Reserved.
This work is licensed under a Creative Commons Attribution NonCommercial Share Alike 3.0 United States License.
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
Some content drawn from prior presentations at Jasig conferences.
About Unicon
IT Consulting Services for Education, Specializing in Open Source
IT Consulting Services
• Technology Delivery and Support
• Systems Integration
• Software Engineering
Open Source Technology Solutions
• Enterprise Portal
• Identity Management
• Learning Management
• Email and Collaboration
For more information about Unicon, please visit: http://www.unicon.net
Contact us at: 480-558-2400 or info@unicon.net
Jasig CAS in 15 Minutes
Andrew PetroUnicon, Inc.
See alsohttp://www.unicon.net/blog/3/ten_minute_cas_intro
What is CAS?
open source
single sign on
for the Web
Multi-Sign-On for the Web
At Least with One Username/Password?
All Applications Touch Passwords
Any Compromise Leaks Primary Credentials
Adversary Then Can Run Wild
The Solution
• What if there were only one login form in your
organization, only one application trusted to
touch primary credentials?
Delete Your Login Forms
Webapps No Longer Touch Passwords
Adversary Compromises Only Single Apps
Webapps No Longer Touch Passwords
Provided Authentication Handlers
• LDAP
– Fast bind
– Search and bind
• Active Directory
– LDAP
– Kerberos (JAAS)
• JAAS
• JDBC
• RADIUS
• SPNEGO
• Trusted
• X.509 certificates
• Writing a custom authentication handler is easy
What About Portals?
Need to go get interesting content from different systems.•E-mail
•Calendar
•E-Learning
•Student Information System
Portal
Password Replay
Password-Protected Service
Password-Protected Service
Password-Protected Service
Channel
Channel
Channel
PW
PW
PW
PW
PW
PW
PW
PW
PW
PW
PW
Look Ma, No Password!
• Without a password to replay, how am I going
to authenticate my portal to other
applications?
?
“Proxy” CAS
• Some Web applications “proxy”
authentication to backing services on behalf
of the user
• “Proxied” applications/services may
themselves proxy authentication to others
• CAS authenticates both the end user and the
proxy
CAS – More than Authentication
• Return attributes of logged on users
• Adding support for standards
– OpenID
– SAML
• Single Sign-Out
• RESTful API
• Support for clustering
• Services management
• Remember me (long-term SSO)
CAS Integration Libraries
• Java
• Spring Security
• PHP
• Apache Module
• ASP
• Python
• Ruby
• ...
• Drupal module
• uPortal
• Liferay
• Sakai
• TikiWiki
• ...
Unicon Services for CAS
• Implementation Planning
• Branding and User Experience
• Installation and Configuration
• Custom Development
• Consulting and Mentoring
• CASification of uPortal, Sakai, and other applications
• Upgrades
For more information, please visit
http://www.unicon.net/services/cas
Andrew Petro
apetro@unicon.net
www.unicon.net
Questions?
25
Shibboleth &Federated Identities
Shibboleth
Enterprise federated identity software
− Based on standards (principally SAML)
− Extensive architectural work to integrate with existing systems
− Designed for deployment by communities
Most widely used in education, government
Broadly adopted in Europe
2.0 release implements SAML 2
− Backward compatible with 1.3
Shibboleth Project
Free & Open Source
− Apache 2.0 license
Enterprise and Federation oriented
Started 2000 with first released code in 2003
Excellent community support
− http://shibboleth.internet2.edu
− shibboleth-announce@internet2.edu
Why Federated Identity?
Authoritative information
− Users, privileges, attributes
Improved security
− Fewer user accounts in the world
Privacy when needed
− Fine control over attribute sharing
Saves time & money
− Less work administrating users
What Is SAML?
Security Assertion Markup Language (SAML)
XML-based Open Standard
Exchange authentication and authorization data between
security domains
− Identity Provider (a producer of assertions)
− Service Provider (a consumer of assertions)
Approved by OASIS Security Services
− SAML 1.0 November 2002
− SAML 2.0 March 2005
Major SAML Applications
Proquest
Project MUSE
Thomson Gale
Elsevier ScienceDirect
Google Apps
ExLibris MetaLib
Sakai & Moodle
uPortal
DSpace, Fedora
Ovid
Microsoft DreamSpark
Moodle, Joomla, Drupal
JSTOR, ArtSTOR, OCLC
Blackboard & WebCT
WebAssign & TurnItIn
MediaWiki / Confluence
National Institutes of Health
National Digital Science
Library
How Federated Identity Works
A user tries to access a protected application
The user tells the application where it’s from
The user logs in at home
Home tells the application about the user
The user is rejected or accepted
32
Role of a Federation
Agreed upon Attribute Definitions
− Group, Role, Unique Identifier, Courses, …
Criteria for IdM & IdP practices
− user accounts, credentialing, personal information
stewardship, interoperability standards, technologies, ...
Digital Certificates
Trusted “notary” for all members
Not needed for Federated IdM,
but does make things even easier
InCommon Federation
Federation for U.S. Higher Education & Research
(and Partners)
Over Three Million Users
163 Organizations
Self-organizing & Heterogeneous
Policy Entrance bar intentionally set low
Doesn’t impose lots of rules and standards
http://www.incommonfederation.org/
John Lewis
jlewis@unicon.net
www.unicon.net
Questions?
Recommended