1 / 41

uPortal and the Yale Central Authentication Service

uPortal and the Yale Central Authentication Service. Drew Mazurek ITS Technology & Planning Yale University. JA-SIG Summer Conference ‘04 Denver, CO June 21, 2004. What’s coming up…. CAS overview n-tier authentication problem uPortal and CAS integration CAS channel examples Questions

epifanio
Download Presentation

uPortal and the Yale Central Authentication Service

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. uPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June 21, 2004

  2. What’s coming up… • CAS overview • n-tier authentication problem • uPortal and CAS integration • CAS channel examples • Questions • Discussion

  3. CAS in a nutshell Authenticates via password (once) Determines validity of user’s claimed authentication Authenticates without sending password Browser Web application

  4. How CAS Works S T Web application CAS NetID S T Web browser C

  5. n-tier authentication problem Channel Portal

  6. n-tier authentication problem Password- protected service Password caching Portal Channel PW PW PW PW Password- protected service Channel PW PW PW PW Channel PW Password- protected service PW PW

  7. n-tier authentication problem • uPortal can authenticate users securely with CAS • But it does not know about users’ primary credentials • This is a good thing, except uPortal can’t impersonate the user in order to acquire secure data for the user

  8. CAS 2.0: Proxy CAS PGT PGTIOU https listener S T PGTURL Web application CAS NetID PGTIOU S ST Web browser C

  9. CAS 2.0: Proxy CAS NetID PGTURL PT S PT S PGT Back-end application Web application CAS Data PT Web browser

  10. CAS Security Provider • Uses CAS for primary authentication • Uses the CAS ProxyTicketReceptor servlet included with CAS Client distribution • Exposes a public method to channels to get a proxy ticket for a particular service • Back-end systems must be configured to accept and validate proxy credentials from uPortal

  11. uPortal withCAS Provider Channel resource PT PT Channel • Username • Identity of proxy (portal) PT getCasServiceToken CAS T PGTURL CAS Security Context PT PGT IOU getProxyTicket(pgtIou,service) PGT PGT IOU CAS Ticket Receptor Servlet PT PGT PT

  12. CAS, uPortal, and other applications at Yale • Simple service-ticket authentication • IMP webmail • Email Account Configuration Tool • Single-tier proxy-ticket authentication • Meeting Maker • Multi-tier proxy-ticket authentication • Recent Email Channel

  13. IMP Webmail https://www.mail.yale.edu:8444/horde/imp/redirect_cas.php?url=mailbox.php%3Dview_message%3F97552

  14. IMP Webmail

  15. IMP Webmail • User clicks on link in Recent Email channel

  16. IMP Webmail • User clicks on link in Recent Email channel • New browser window opens, going to https://www.mail.yale.edu:8444/horde /imp/redirect_cas.php?url=mailbox.php%3Fview_message%3D97552

  17. IMP Webmail • User clicks on link in Recent Email channel • New browser window opens, going to https://www.mail.yale.edu:8444/horde /imp/redirect_cas.php?url=mailbox.php%3Fview_message%3D97552 • IMP stores destination URL/message as session variable, and redirects the browser to CAS

  18. IMP Webmail • Upon return from CAS, IMP validates CAS service ticket and then shows the requested email message

  19. IMP Webmail • Upon return from CAS, IMP validates CAS service ticket and then shows the requested email message • But how is the user authenticated to the IMAP server?

  20. IMP Webmail • Upon return from CAS, IMP validates CAS service ticket and then shows the requested email message • But how is the user authenticated to the IMAP server? • IMP normally wants to replay cached primary credentials

  21. IMP Webmail – CAS PAM module IMAP server CAS PAM module ST IMP CAS PGT PT PGT PT PT • NetID • IMP’s proxy callback URL (unique ID)

  22. Email Account Configuration Tool • Configures aspects of Yale email accounts including mail forwarding, filtering, and spam management • CASified one year ago

  23. Email Account Configuration Tool • Linked in uPortal as: https://secure.its.yale.edu/cas/login ?service=https://config.mail.yale.edu /account-tool/main

  24. Email Account Configuration Tool • Linked in uPortal as: https://secure.its.yale.edu/cas/login ?service=https://config.mail.yale.edu /account-tool/main • Simple service ticket-only authentication

  25. Email Account Configuration Tool • Linked in uPortal as: https://secure.its.yale.edu/cas/login ?service=https://config.mail.yale.edu /account-tool/main • Simple service ticket-only authentication • Takes advantage of single sign-on

  26. Email Account Configuration Tool https://secure.its.yale.edu/cas/login?service= https://config.mail.yale.edu/account-tool/main

  27. Email Account Configuration Tool

  28. Meeting Maker

  29. Meeting Maker • Meeting Maker, Inc. provides a Java API to access calendaring data • A Java servlet uses the API to retrieve data and provide an XML feed to the portal • The servlet doesn’t know about the user’s MM password – it uses a master MM server password to access the data

  30. Meeting Maker CAS PT NetID S ProxyID PGT PT S Meeting Maker Servlet uPortal Meeting Maker Server PT MM admin PW XML NetID MM data

  31. Meeting Maker • Channel authentication performed through CAS Java Servlet filter (included in CAS client library) • uPortal’s CAS proxy callback URL configured in web application’s deployment descriptor: <init-param> <param-name>edu.yale.its.tp.cas.client.filter.authorizedProxy</param-name> <param-value>https://portal.yale.edu/CasProxyServlet</param-value> </init-param>

  32. Recent Email Channel

  33. Recent Email Channel • Displays 10 most recent email messages • Multi-tier CAS proxy authentication • Same design as Meeting Maker • servlet pulls data from back-end source, returns as XML • Different authentication from MM • IMAP server accepts CAS proxy tickets and validates them with the CAS PAM module

  34. Recent Email Channel CAS PT S PGT Email Servlet uPortal IMAP Server

  35. Recent Email Channel CAS NetID PGTURL ProxyID PGT PGTIOU PT S Email Servlet uPortal IMAP Server PT

  36. Recent Email Channel CAS NetID ProxyIDs PT PGT S PT Email Servlet uPortal IMAP Server PT XML NetID IMAP session

  37. Recent Email Channel • Can’t use CAS filter because it must obtain proxy tickets to pass to IMAP • Uses the CAS ProxyTicketValidator for authentication (included with CAS client library) • getProxyTicket() • Current beta of CAS filter provides support for acquiring proxy tickets

  38. Summary • Simple CAS authentication • n-tier authentication problem • CAS’s solution: Proxy CAS • uPortal and CAS Security Provider

  39. Summary • uPortal, CAS, and other applications • Simple service ticket authentication • IMP Webmail • Email Account Configuration Tool • Single-layer proxy ticket authentication • Meeting Maker • Multi-layer proxy ticket authentication • Recent Email Channel

  40. Questions?

  41. For more information • Drew Mazurek <drew.mazurek@yale.edu> • CAS Web Site • http://www.yale.edu/tp/cas • CAS Mailing List • cas@tp.its.yale.edu • http://tp.its.yale.edu/mailman/listinfo/cas • This presentation • http://www.yale.edu/tp/cas/cas-jasig-2004.ppt • http://www.yale.edu/tp/cas/cas-jasig-2004.htm

More Related