external identity and authentication providers for apache
play

External Identity and Authentication Providers For Apache HTTP - PowerPoint PPT Presentation

Aug 30, 2023 •169 likes •393 views

External Identity and Authentication Providers For Apache HTTP Server Jan Pazdziora Principal Software Engineer Identity Management Engineering, Red Hat 17 th November 2014 Basic Authentication The only authentication option in 1996 when

  1. External Identity and Authentication Providers For Apache HTTP Server Jan Pazdziora Principal Software Engineer Identity Management Engineering, Red Hat 17 th November 2014

  2. Basic Authentication ■ The only authentication option in 1996 when HTTP 1.0 came out. ■ To remind you what it looked (looks) like: ■ Status code 401 Unauthorized. It means either ■ no authentication was attempted; ■ the [login, password] pair supplied with the HTTP request in the Authorization header was wrong. Basic Authentication Jan Pazdziora 2 / 21

  3. Basic Authentication: Pros ■ Access protection for static content as well. ■ Completely handled via HTTP server configuration. ■ No logic needed in the content (in CGI). ■ User identifier can be consumed in CGI scripts via REMOTE_USER environment variable. ■ Similar mechanisms used for other execution frameworks. ■ Or dedicated method calls ( request.getRemoteUser() ). ■ Various authentication providers emerged, including databases and LDAP lookups. Basic Authentication Jan Pazdziora 3 / 21

  4. Basic Authentication: Cons ■ One 401 status for both "please enter login and password" and "you probably mistyped password" situations. ■ Suboptimal UI in browsers: one popup window type, ending loop with Cancel, no logout (forget credentials) functionality. ■ Optional authentication hard to achieve. ■ Nothing beyond [login, password]. ■ Digest introduced by HTTP 1.1 did not address either concern. Basic Authentication Jan Pazdziora 4 / 21

  5. Authentication in applications ■ Basic Authentication was used heavily. ■ But developers and users wanted more. ■ Especially better control and user experience. Authentication in applications Jan Pazdziora 5 / 21

  6. Cookie-based sessions ■ Codified ex-post, based on real-life implementations in browsers. ■ Originally intended for small customizations and user preferences. ■ Cornerstone of authentication in today's web applications. ■ Applications handle logon form POST submissions or other authentication process, including anonymous users. ■ Applications create sessions internally, HTTP response carries Set- Cookie header with session identification. ■ Cookie sent by browser with each subsequent HTTP request in the Cookie header. ■ The authentication decision has moved to applications completely. ■ Applications manage their own (DB) schemas of users, groups, roles. ■ Who remembers REMOTE_USER ? Who needs REMOTE_USER ? Authentication in applications Jan Pazdziora 6 / 21

  7. GSSAPI/SPNEGO/Kerberos/Negotiate ■ Server's 401 HTTP response contains WWW-Authenticate: Negotiate . ■ Browser tries to get Kerberos service ticket and use the GSSAPI data in Authorization header. ■ No prompting. (But no confirmation either.) Effectively, single-sign-on. ■ In Apache supported by mod_auth_kerb, outside of application. ■ Application might not have access to the keytab needed to verify the GSSAPI data. ■ Application gets the authentication result. REMOTE_USER re-emerges. ■ http://www.ietf.org/rfc/rfc4178.txt ■ http://www.ietf.org/rfc/rfc4559.txt ■ Cookies still useful — you want to avoid negotiate on each request. Authentication in applications Jan Pazdziora 7 / 21

  8. Other mechanisms ■ Other authentication mechanisms might need to use credentials and storage that HTTP server (Apache) has access to but the application does not. ■ SSL client authentication. ■ Security Assertion Markup Language (SAML). ■ There can be additional checks about account's validity (PAM). ■ They all might or might not be needed (supported, enabled, configured) in a particular deployment of each web application. ■ Is it time to move the authentication decision back in front of the web application? ■ Bring back REMOTE_USER ? Authentication in applications Jan Pazdziora 8 / 21

  9. Overview of existing modules Authentication Method Apache Authentication Module Pure Application Level None Kerberos SSO (ticket) mod_auth_kerb SAML-Based mod_auth_mellon mod_nss Certificate-Based mod_ssl Module overview Jan Pazdziora 9 / 21

  10. New life for GSSAPI/Kerberos ■ Module mod_auth_gssapi by Simo Sorce. ■ Replacement of mod_auth_kerb using only GSSAPI calls. ■ Original mod_auth_kerb configuration: LoadModule auth_kerb_module modules/mod_auth_kerb.so AuthType Kerberos KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/http.keytab ■ With mod_auth_gssapi: LoadModule auth_gssapi_module modules/mod_auth_gssapi.so AuthType GSSAPI GssapiCredStore keytab:/etc/http.keytab ■ Recent MIT krb5 and Apache HTTP server 2.4 needed. GSSAPI Jan Pazdziora 10 / 21

  11. System Security Services Daemon ■ Authentication and identity services on operating system level. ■ Host-based access control (HBAC) when used with IPA server. Individual users Hosts Services or user groups or host groups (ssh, ftp, sudo, ...) Mix them into rules sssd can consult IPA to check access ■ IPA is centralized identity, authentication, and authorization provider. ■ Other access control schemes possible, depending on the identity source against which sssd is configured. ■ Module pam_sss.so makes sssd services available via PAM. sssd Jan Pazdziora 11 / 21

  12. PAM for Web applications ■ Apache module mod_authnz_pam . For 2.2 and 2.4. ■ PAM-based authorization of users authenticated by other modules. ■ Replace requires valid-user with requires pam-account <PAM-service-name> ■ Configure /etc/pam.d/<PAM-service-name> . ■ With pam_sss.so and sssd against IPA, HBAC check will be done. ■ HBAC service name has to match the PAM service name. ■ Use any service name you want: crm-prod, wiki-test, intranet, ... ■ Especially useful for SSO that should not reach applications. ■ Use as Basic Authentication provider also possible: AuthBasicProvider PAM AuthPAMService tlwiki PAM for Web applications Jan Pazdziora 12 / 21

  13. PAM for applications' logon forms ■ Provided by Apache server: mod_intercept_form_submit . Logon form submission ↓ Module intercepts the POST HTTP request PAM auth is run with [login, password] pair (when found) Module Authentication passes Authentication fails REMOTE_USER EXTERNAL_AUTH_ERROR is set to login is set to PAM message Gets chance to Application Consumes REMOTE_USER authenticate internally PAM for Web applications Jan Pazdziora 13 / 21

  14. PAM for apps' logon forms (cont'd) ■ No 401 status ever. ■ Uses mod_authnz_pam internally. ■ The same look of the logon screen, authenticating against central identity provider. <Location /app/login> InterceptFormLogin user_fld InterceptFormPassword passwd_fld InterceptFormPAMService <PAM-service-name> </Location> PAM for Web applications Jan Pazdziora 14 / 21

  15. New modules Apache Modules Authentication Method Authentication Access Check Application None mod_auth_kerb GSSAPI/Kerberos mod_auth_gssapi SAML mod_auth_mellon mod_authnz_pam mod_nss Certificate mod_ssl Form-Based mod_intercept_form_submit Module overview Jan Pazdziora 15 / 21

  16. Additional user information ■ Web applications nowadays need more than just login name. ■ Additional attributes for nice user experience, as well as authorization. ■ Email address, full name, phone number, ... ■ Group membership. ■ For centrally-managed users, these should come from the central identity provider. ■ Especially when applications autocreate user records. ■ Module mod_lookup_identity uses D-Bus interface of SSSD to retrieve additional data about authenticated users. User attributes and groups Jan Pazdziora 16 / 21

  17. Additional user information (cont'd) ■ Proposing other environment variables beyond REMOTE_USER : ■ REMOTE_USER_EMAIL , REMOTE_USER_FULLNAME , ... ■ REMOTE_USER_GROUPS , REMOTE_USER_GROUP_N , REMOTE_USER_GROUP_1 , ... LookupUserAttr mail REMOTE_USER_EMAIL " " LookupUserAttr givenname REMOTE_USER_FIRSTNAME LookupUserAttr sn REMOTE_USER_LASTNAME LookupUserGroupsIter REMOTE_USER_GROUP LookupOutputGroups REMOTE_USER_GROUPS : User attributes and groups Jan Pazdziora 17 / 21

  18. Module overview Apache Modules Authn Method Authentication Access Check Extra User Info Application None mod_auth_kerb GSSAPI mod_auth_gssapi SAML mod_auth_mellon mod_authnz_pam mod_lookup_identity mod_nss Certificate mod_ssl Form mod_intercept_form_submit User attributes and groups Jan Pazdziora 18 / 21

  19. External authentication in applications ■ Web applications should re-learn to accept REMOTE_USER . ■ Some changes to support the external authentication and identity are typically needed in application code. ■ The reward is much richer matrix of possible deployments. ■ Use of the same HBAC mechanism that enterprises use for OS. ■ Already implemented: ■ Spacewalk ■ Foreman ■ ManageIQ ■ Django being investigated. Consuming external authentication Jan Pazdziora 19 / 21

  20. Conclusion ■ PAM for access to central authentication provider. ■ New variables for additional REMOTE_USER_* attributes. ■ Can we agree on variable names? Less work for application developers. ■ By no means should applications drop their existing functionality that served them well, this is merely an additional possibility. ■ Your favorite application or framework not supporting REMOTE_USER_* ? ■ While we might not be able to add the feature ourselves, we will be happy to help people. ■ Explore the modules, let us know what you think. Conclusion Jan Pazdziora 20 / 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity

UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity

UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity System UCSBnetID authentication UCSB-wide student and employee info http://www.identity.ucsb.edu/ LDAP Overview Lightweight Directory Access Protocol

604 views • 24 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Mobile Provided Identity Authentication on the Web tle pt by Jonas Hgberg, Ericsson for W3C

Mobile Provided Identity Authentication on the Web tle pt by Jonas Hgberg, Ericsson for W3C

Mobile Provided Identity Authentication on the Web tle pt by Jonas Hgberg, Ericsson for W3C s WS on Identity in the Browser tle pt 24-5th May 11 Mountain View, CA, USA Mobile Provided Identity Authentication itle on the Web pt

298 views • 13 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
User Authentication for Emerging Interfaces Nasir Memon Tandon School of Engineering New York

User Authentication for Emerging Interfaces Nasir Memon Tandon School of Engineering New York

User Authentication for Emerging Interfaces Nasir Memon Tandon School of Engineering New York University Identity Identity and Authentication What is identity? A computers representation of an unique entity (principal). What is

675 views • 56 slides
Outline Authentication and Identity Management Authentication Computer Security: Security at

Outline Authentication and Identity Management Authentication Computer Security: Security at

Authentication and Identity Management Authentication and Identity Management Operating System and Network Security Operating System and Network Security Cyber war and terrorism Radboud University Nijmegen Cyber war and terrorism Radboud

590 views • 9 slides
IT350 Web and Internet Programming SlideSet #18: HTTP Authentication

IT350 Web and Internet Programming SlideSet #18: HTTP Authentication

IT350 Web and Internet Programming SlideSet #18: HTTP Authentication http://www.httpwatch.com/httpgallery/authentication/ http://httpd.apache.org/docs/2.2/howto/auth.html Outline HTTP Basic Authentication HTTP Digest Authentication 1

349 views • 8 slides
Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and Schroeder Authentication in general Bishop: Authentication is the binding of an identity to a principal. Network-based authentication mechanisms

1.6k views • 43 slides
Apache Airavata Security Manager Authentication &amp; Authorization Im Implementation for a

Apache Airavata Security Manager Authentication &amp; Authorization Im Implementation for a

Apache Airavata Security Manager Authentication &amp; Authorization Im Implementation for a Multi- Tenant e-Science Framework Supun Nakandala, Hasini Gunasinghe, Suresh Marru and Marlon Pierce Science Gateways Research Center Indiana

695 views • 33 slides
What's New in Apache Syncope 1.2.0 Dr. Colm higeartaigh Speaker Introduction 11/14/14 2

What's New in Apache Syncope 1.2.0 Dr. Colm higeartaigh Speaker Introduction 11/14/14 2

What's New in Apache Syncope 1.2.0 Dr. Colm higeartaigh Speaker Introduction 11/14/14 2 Introduction to Apache Syncope Apache Syncope basics Identity Management solution at Apache Can retrieve and store users/roles/etc from/in

920 views • 25 slides
CSN09101 Networked Services Week 10: Using Apache Week 10: Using Apache Module Leader: Dr

CSN09101 Networked Services Week 10: Using Apache Week 10: Using Apache Module Leader: Dr

CSN09101 Networked Services Week 10: Using Apache Week 10: Using Apache Module Leader: Dr Gordon Russell Lecturers: G. Russell This lecture Apache Basic Authentication Log Analysis Security Issues Discussions

803 views • 51 slides
Recognize people by the way they type Typing Biometrics Authentication Cybercrime &amp; identity

Recognize people by the way they type Typing Biometrics Authentication Cybercrime &amp; identity

Typing Biometrics Authentication Recognize people by the way they type Typing Biometrics Authentication Cybercrime &amp; identity theft 17 million victims $30 billion / year Typing Biometrics Authentication The way you type is unique Typing

143 views • 10 slides
Outline Computer Security: Security at Work Authentication and Identity Management Bart Jacobs

Outline Computer Security: Security at Work Authentication and Identity Management Bart Jacobs

Radboud University Nijmegen Radboud University Nijmegen Authentication and Identity Management Authentication and Identity Management Outline Computer Security: Security at Work Authentication and Identity Management Bart Jacobs

405 views • 5 slides
1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

Message Authentication CPE 542: CRYPTOGRAPHY &amp; NETWORK SECURITY message authentication is concerned with: protecting the integrity of a message Chapter 11 Message Authentication and validating identity of originator Hash

462 views • 6 slides
3-509

3-509

3-509 liuzhen@sjtu.edu.cn 1 Authentication and Key Exchange 2 Authentication Alice proves her identity to Bob Alice and Bob can be humans or

524 views • 23 slides
SY306 Web and Databases for Cyber Operations SlideSet #21: HTTP Authentication

SY306 Web and Databases for Cyber Operations SlideSet #21: HTTP Authentication

SY306 Web and Databases for Cyber Operations SlideSet #21: HTTP Authentication http://www.httpwatch.com/httpgallery/authentication/ http://httpd.apache.org/docs/2.2/howto/auth.html Outline HTTP Basic Authentication HTTP Digest

226 views • 8 slides
Creating an Amendment in 2 Start the Amendment in webIRB 1. When creating an amendment in

Creating an Amendment in 2 Start the Amendment in webIRB 1. When creating an amendment in

Creating an Amendment in 2 Start the Amendment in webIRB 1. When creating an amendment in webIRB, indicate if any radiation procedures will be added or changed. If Yes is indicated, a radiation review will be required. 2. When the webIRB

463 views • 10 slides
Hacking Web Sites OWASP Top 10 Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule |

Hacking Web Sites OWASP Top 10 Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule |

Hacking Web Sites OWASP Top 10 Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule | Haute ecole sp ecialis ee bernoise | Berne University of Applied Sciences 1 Web Security: Overview of other security risks OWASP Top 10

1.25k views • 64 slides
Introduction to the Phone System Session Objectives Logging on/ofg fg Using the handset

Introduction to the Phone System Session Objectives Logging on/ofg fg Using the handset

Introduction to the Phone System Session Objectives Logging on/ofg fg Using the handset (T21 &amp; T27) Receiving, holding, transferring calls Making internal/external calls Using the Soft Phone Colleague availability on

878 views • 52 slides
802.1X &amp; EAP &amp; Keying State Machines and Interfaces Jim Burns Paul Congdon Nick

802.1X &amp; EAP &amp; Keying State Machines and Interfaces Jim Burns Paul Congdon Nick

802.1X &amp; EAP &amp; Keying State Machines and Interfaces Jim Burns Paul Congdon Nick Petroni John Vollbrecht March 2003 IEEE 802 Plenary, Dallas TX 1 The Working Groups Several specifications MUST align to enable a working

436 views • 21 slides
Reconfigurable and Homepage: http://ces.itec.kit.edu/teaching/ you can also find the slides

Reconfigurable and Homepage: http://ces.itec.kit.edu/teaching/ you can also find the slides

Organisation Institut fr Technische Informatik Chair for Embedded Systems - Prof. Dr. J. Henkel Lecture time: Mi., 15.45 - 17.15 Vorlesung im SS 2014 Bld. 50.34, HS -102 Reconfigurable and Homepage: http://ces.itec.kit.edu/teaching/

418 views • 8 slides
Shibboleth &amp; Grid Integration STFC and University of Oxford (and University of Manchester)

Shibboleth &amp; Grid Integration STFC and University of Oxford (and University of Manchester)

Shibboleth &amp; Grid Integration STFC and University of Oxford (and University of Manchester) Acknowledgements Slides by David Spence ShibGrid (University of Oxford + STFC) SARoNGS (STFC, University of Oxford, University of

652 views • 23 slides
NSW Health Mandatory Training Modules In 2017, NSW Health introduced Mandatory Training Modules .

NSW Health Mandatory Training Modules In 2017, NSW Health introduced Mandatory Training Modules .

NSW Health Mandatory Training Modules In 2017, NSW Health introduced Mandatory Training Modules . There are 5 modules that all UON students undertaking healthcare placements in NSW Health facilities must complete. These include:

338 views • 6 slides
NIFA Reporting Web Conference December 14, 2017 Start Recording Adam Preuter Adam is

NIFA Reporting Web Conference December 14, 2017 Start Recording Adam Preuter Adam is

NIFA Reporting Web Conference December 14, 2017 Start Recording Adam Preuter Adam is the Lead for the State Plan of Work and Annual Report process as well as the business lead for the REEport system management and development.

617 views • 38 slides

More recommend