410 likes | 862 Views
uPortal and the Yale Central Authentication Service. Drew Mazurek ITS Technology & Planning Yale University. JA-SIG Summer Conference ‘04 Denver, CO June 21, 2004. What’s coming up…. CAS overview n-tier authentication problem uPortal and CAS integration CAS channel examples Questions
E N D
uPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June 21, 2004
What’s coming up… • CAS overview • n-tier authentication problem • uPortal and CAS integration • CAS channel examples • Questions • Discussion
CAS in a nutshell Authenticates via password (once) Determines validity of user’s claimed authentication Authenticates without sending password Browser Web application
How CAS Works S T Web application CAS NetID S T Web browser C
n-tier authentication problem Channel Portal
n-tier authentication problem Password- protected service Password caching Portal Channel PW PW PW PW Password- protected service Channel PW PW PW PW Channel PW Password- protected service PW PW
n-tier authentication problem • uPortal can authenticate users securely with CAS • But it does not know about users’ primary credentials • This is a good thing, except uPortal can’t impersonate the user in order to acquire secure data for the user
CAS 2.0: Proxy CAS PGT PGTIOU https listener S T PGTURL Web application CAS NetID PGTIOU S ST Web browser C
CAS 2.0: Proxy CAS NetID PGTURL PT S PT S PGT Back-end application Web application CAS Data PT Web browser
CAS Security Provider • Uses CAS for primary authentication • Uses the CAS ProxyTicketReceptor servlet included with CAS Client distribution • Exposes a public method to channels to get a proxy ticket for a particular service • Back-end systems must be configured to accept and validate proxy credentials from uPortal
uPortal withCAS Provider Channel resource PT PT Channel • Username • Identity of proxy (portal) PT getCasServiceToken CAS T PGTURL CAS Security Context PT PGT IOU getProxyTicket(pgtIou,service) PGT PGT IOU CAS Ticket Receptor Servlet PT PGT PT
CAS, uPortal, and other applications at Yale • Simple service-ticket authentication • IMP webmail • Email Account Configuration Tool • Single-tier proxy-ticket authentication • Meeting Maker • Multi-tier proxy-ticket authentication • Recent Email Channel
IMP Webmail https://www.mail.yale.edu:8444/horde/imp/redirect_cas.php?url=mailbox.php%3Dview_message%3F97552
IMP Webmail • User clicks on link in Recent Email channel
IMP Webmail • User clicks on link in Recent Email channel • New browser window opens, going to https://www.mail.yale.edu:8444/horde /imp/redirect_cas.php?url=mailbox.php%3Fview_message%3D97552
IMP Webmail • User clicks on link in Recent Email channel • New browser window opens, going to https://www.mail.yale.edu:8444/horde /imp/redirect_cas.php?url=mailbox.php%3Fview_message%3D97552 • IMP stores destination URL/message as session variable, and redirects the browser to CAS
IMP Webmail • Upon return from CAS, IMP validates CAS service ticket and then shows the requested email message
IMP Webmail • Upon return from CAS, IMP validates CAS service ticket and then shows the requested email message • But how is the user authenticated to the IMAP server?
IMP Webmail • Upon return from CAS, IMP validates CAS service ticket and then shows the requested email message • But how is the user authenticated to the IMAP server? • IMP normally wants to replay cached primary credentials
IMP Webmail – CAS PAM module IMAP server CAS PAM module ST IMP CAS PGT PT PGT PT PT • NetID • IMP’s proxy callback URL (unique ID)
Email Account Configuration Tool • Configures aspects of Yale email accounts including mail forwarding, filtering, and spam management • CASified one year ago
Email Account Configuration Tool • Linked in uPortal as: https://secure.its.yale.edu/cas/login ?service=https://config.mail.yale.edu /account-tool/main
Email Account Configuration Tool • Linked in uPortal as: https://secure.its.yale.edu/cas/login ?service=https://config.mail.yale.edu /account-tool/main • Simple service ticket-only authentication
Email Account Configuration Tool • Linked in uPortal as: https://secure.its.yale.edu/cas/login ?service=https://config.mail.yale.edu /account-tool/main • Simple service ticket-only authentication • Takes advantage of single sign-on
Email Account Configuration Tool https://secure.its.yale.edu/cas/login?service= https://config.mail.yale.edu/account-tool/main
Meeting Maker • Meeting Maker, Inc. provides a Java API to access calendaring data • A Java servlet uses the API to retrieve data and provide an XML feed to the portal • The servlet doesn’t know about the user’s MM password – it uses a master MM server password to access the data
Meeting Maker CAS PT NetID S ProxyID PGT PT S Meeting Maker Servlet uPortal Meeting Maker Server PT MM admin PW XML NetID MM data
Meeting Maker • Channel authentication performed through CAS Java Servlet filter (included in CAS client library) • uPortal’s CAS proxy callback URL configured in web application’s deployment descriptor: <init-param> <param-name>edu.yale.its.tp.cas.client.filter.authorizedProxy</param-name> <param-value>https://portal.yale.edu/CasProxyServlet</param-value> </init-param>
Recent Email Channel • Displays 10 most recent email messages • Multi-tier CAS proxy authentication • Same design as Meeting Maker • servlet pulls data from back-end source, returns as XML • Different authentication from MM • IMAP server accepts CAS proxy tickets and validates them with the CAS PAM module
Recent Email Channel CAS PT S PGT Email Servlet uPortal IMAP Server
Recent Email Channel CAS NetID PGTURL ProxyID PGT PGTIOU PT S Email Servlet uPortal IMAP Server PT
Recent Email Channel CAS NetID ProxyIDs PT PGT S PT Email Servlet uPortal IMAP Server PT XML NetID IMAP session
Recent Email Channel • Can’t use CAS filter because it must obtain proxy tickets to pass to IMAP • Uses the CAS ProxyTicketValidator for authentication (included with CAS client library) • getProxyTicket() • Current beta of CAS filter provides support for acquiring proxy tickets
Summary • Simple CAS authentication • n-tier authentication problem • CAS’s solution: Proxy CAS • uPortal and CAS Security Provider
Summary • uPortal, CAS, and other applications • Simple service ticket authentication • IMP Webmail • Email Account Configuration Tool • Single-layer proxy ticket authentication • Meeting Maker • Multi-layer proxy ticket authentication • Recent Email Channel
For more information • Drew Mazurek <drew.mazurek@yale.edu> • CAS Web Site • http://www.yale.edu/tp/cas • CAS Mailing List • cas@tp.its.yale.edu • http://tp.its.yale.edu/mailman/listinfo/cas • This presentation • http://www.yale.edu/tp/cas/cas-jasig-2004.ppt • http://www.yale.edu/tp/cas/cas-jasig-2004.htm