Integration of N-tiers application Using CAS Single Sign On system - - PowerPoint PPT Presentation

Integration

• f

N-tiers application

K.U.Leuven Association velpi@groupt.be http://shib.kuleuven.be

Using CAS Single Sign On system with a webmail application, Horde

Integration of N-tiers application velpi@groupt.be 2

http://associatie.kuleuven.be/

Integration of N-tiers application velpi@groupt.be 3

Integration of N-tiers application

Introducing CAS Proxy CAS login scenario Implementing proxy CAS Beyond...

Integration of N-tiers application velpi@groupt.be 4

Introducing CAS: the project

Originally developed by Yale University JA-SIG project since December 2004

http://www.ja-sig.org/products/cas/

Integration of N-tiers application velpi@groupt.be 5

Introducing CAS: the technology

• Originally open-source WebISO
• Loosely based on Kerberos *model*
• Server: Java & Spring framework

Client: lots of implementations + libs available (with source)

Integration of N-tiers application velpi@groupt.be 6

Introducing CAS: the protocol

XML

http://www.ja-sig.org/products/cas/overview/protocol/index.html

Integration of N-tiers application velpi@groupt.be 7

Introducing CAS: N-tiers

Proxy CAS

http://www.ja-sig.org/wiki/display/CAS/Proxy+CAS+Walkthrough

Integration of N-tiers application velpi@groupt.be 8

Proxy CAS: the problem space

• Passwords are passing all “clients”
• Credentials have to be cached
• Caching has to be done in plain text

Integration of N-tiers application velpi@groupt.be 9

Proxy CAS: a solution

• One-time “passwords”
• Passwords are replaced by “tickets”
• One-time=request new for next authN

Integration of N-tiers application velpi@groupt.be 10

Integration of N-tiers application

Introducing CAS Proxy CAS login scenario Implementing proxy CAS Beyond...

Integration of N-tiers application velpi@groupt.be 11

login scenario

BROWSER

• BROWSER: cookies enabled

Integration of N-tiers application velpi@groupt.be 12

login scenario

CAS SERVER BROWSER

• CAS: a trusted arbiter of authenticity

Integration of N-tiers application velpi@groupt.be 13

login scenario

CAS SERVER BROWSER Horde / IMP with phpCAS CLIENT IMAP PROXY

• Service: webapp that authenticates

users via CAS

• Proxy: service that wants to access
• ther services on behalf of a

particular user

Performance enhancement

Integration of N-tiers application velpi@groupt.be 14

login scenario

CAS SERVER BROWSER Horde / IMP with phpCAS CLIENT IMAP SERVER IMAP PROXY PAM with PAM_CAS

• Target (back-end service): service that

accepts proxied credentials from at least one particular proxy

Integration of N-tiers application velpi@groupt.be 15

login scenario: the players

• CAS: a trusted arbiter of authenticity
• Service: webapp that authenticates users

via CAS

• Proxy: service that wants to access other

services on behalf of a particular user

• Target (back-end service): service that

accepts proxied credentials from at least

• ne particular proxy

Horde IMP IMAP CAS

Integration of N-tiers application velpi@groupt.be 16

login scenario

CAS SERVER BROWSER Horde / IMP with phpCAS CLIENT IMAP SERVER IMAP PROXY PAM with PAM_CAS

Integration of N-tiers application velpi@groupt.be 17

login scenario

CAS SERVER BROWSER Horde / IMP with phpCAS CLIENT IMAP SERVER IMAP PROXY PAM with PAM_CAS

HTTP REQ

(PHP-SESSION)

Integration of N-tiers application velpi@groupt.be 18

login scenario

CAS SERVER BROWSER Horde / IMP with phpCAS CLIENT IMAP SERVER IMAP PROXY PAM with PAM_CAS

S1 HTTP REQ (+TGC)

(PHP-SESSION)

Integration of N-tiers application velpi@groupt.be 19

login scenario

CAS SERVER BROWSER Horde / IMP with phpCAS CLIENT IMAP SERVER IMAP PROXY PAM with PAM_CAS

S1 HTTP REQ (LOGIN PAGE) (CREDENTIALS) (+TGC)

(PHP-SESSION)

(LT) (LT)

Integration of N-tiers application velpi@groupt.be 20

login scenario

CAS SERVER BROWSER Horde / IMP with phpCAS CLIENT IMAP SERVER IMAP PROXY PAM with PAM_CAS

S1 HTTP REQ (LOGIN PAGE) (CREDENTIALS) ST (+TGC) (SET TGC)

(PHP-SESSION)

(LT) (LT)

Integration of N-tiers application velpi@groupt.be 21

login scenario: Credentials OR TicketGrantingCookie (TGC) response

Redirect to: http://webmail.mydomain.org/?ticket=TICKET

eg TICKET=ST-38815-m09bXdf770aEJfq9VsotayLh6OyE0MoovLM-20

Integration of N-tiers application velpi@groupt.be 22

login scenario

CAS SERVER BROWSER Horde / IMP with phpCAS CLIENT IMAP SERVER IMAP PROXY PAM with PAM_CAS

S1 HTTP REQ (LOGIN PAGE) (CREDENTIALS) ST (+TGC) (SET TGC)

(PHP-SESSION)

(LT) (LT)

Integration of N-tiers application velpi@groupt.be 23

login scenario

CAS SERVER BROWSER Horde / IMP with phpCAS CLIENT IMAP SERVER IMAP PROXY PAM with PAM_CAS

S1 HTTP REQ (LOGIN PAGE) (CREDENTIALS) ST S1 ST (+TGC) (SET TGC)

(PHP-SESSION)

PGT-URL pgt-url ok? (LT) (LT)

Integration of N-tiers application velpi@groupt.be 24

login scenario

CAS SERVER BROWSER Horde / IMP with phpCAS CLIENT IMAP SERVER IMAP PROXY PAM with PAM_CAS

S1 HTTP REQ (LOGIN PAGE) (CREDENTIALS) ST S1 ST (+TGC) (SET TGC)

(PHP-SESSION)

PGT-URL PGT PGTIOU pgt-url ok? (LT) (LT)

Integration of N-tiers application velpi@groupt.be 25

login scenario: ServiceTicket (ST) validation 1/2

CAS server requests: http://webmail.mydomain.org/casProxy.php ?pgtIou=PGTIOU&pgtId=PGT

eg PGT=TGT-38815-m09bXdf770aEJfq9VsotayLh6OyE0MoovLM-20

Integration of N-tiers application velpi@groupt.be 26

login scenario

CAS SERVER BROWSER Horde / IMP with phpCAS CLIENT IMAP SERVER IMAP PROXY PAM with PAM_CAS

S1 HTTP REQ (LOGIN PAGE) (CREDENTIALS) ST S1 ST (+TGC) (SET TGC)

(PHP-SESSION)

PGT-URL PGT PGTIOU pgt-url ok? (LT) (LT)

Integration of N-tiers application velpi@groupt.be 27

login scenario

CAS SERVER BROWSER Horde / IMP with phpCAS CLIENT IMAP SERVER IMAP PROXY PAM with PAM_CAS

S1 HTTP REQ (LOGIN PAGE) (CREDENTIALS) ST S1 NETID PGTIOU ST (+TGC) (SET TGC)

(PHP-SESSION)

PGT-URL PGT PGTIOU pgt-url ok? (LT) (LT)

Integration of N-tiers application velpi@groupt.be 28

login scenario: ServiceTicket (ST) validation 2/2

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>NetID</cas:user> <cas:proxyGrantingTicket>PGTIOU</cas:proxyGrantingTicket> </cas:authenticationSuccess> </cas:serviceResponse>

Integration of N-tiers application velpi@groupt.be 29

login scenario

CAS SERVER BROWSER Horde / IMP with phpCAS CLIENT IMAP SERVER IMAP PROXY PAM with PAM_CAS

S1 HTTP REQ (LOGIN PAGE) (CREDENTIALS) ST S1 NETID PGTIOU ST (+TGC) (SET TGC)

(PHP-SESSION)

PGT-URL PGT PGTIOU pgt-url ok? (LT) (LT)

Integration of N-tiers application velpi@groupt.be 30

login scenario

CAS SERVER BROWSER Horde / IMP with phpCAS CLIENT IMAP SERVER IMAP PROXY PAM with PAM_CAS

S1 HTTP REQ (LOGIN PAGE) (CREDENTIALS) ST PT S1 NETID PGTIOU S2 PGT ST (+TGC) (SET TGC)

(PHP-SESSION)

PGT-URL PGT PGTIOU pgt-url ok? PT (LT) (LT)

Integration of N-tiers application velpi@groupt.be 31

login scenario: ProxyGrantingTicket (PGT) response

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:proxySuccess> <cas:proxyTicket>PT</cas:proxyTicket> </cas:proxySuccess> </cas:serviceResponse>

Integration of N-tiers application velpi@groupt.be 32

login scenario

CAS SERVER BROWSER Horde / IMP with phpCAS CLIENT IMAP SERVER IMAP PROXY PAM with PAM_CAS

S1 HTTP REQ (LOGIN PAGE) (CREDENTIALS) ST PT S1 NETID PGTIOU S2 PGT ST (+TGC) (SET TGC)

(PHP-SESSION)

PGT-URL PGT PGTIOU pgt-url ok? PT (LT) (LT)

Integration of N-tiers application velpi@groupt.be 33

login scenario

CAS SERVER BROWSER Horde / IMP with phpCAS CLIENT IMAP SERVER IMAP PROXY PAM with PAM_CAS

S1 HTTP REQ (LOGIN PAGE) (CREDENTIALS) ST PT S1 NETID PGTIOU S2 PGT PT (PT) ST (+TGC) (SET TGC)

(PHP-SESSION)

PGT-URL PGT PGTIOU pgt-url ok? NETID NETID PT (LT) (LT)

Integration of N-tiers application velpi@groupt.be 34

login scenario

CAS SERVER BROWSER Horde / IMP with phpCAS CLIENT IMAP SERVER IMAP PROXY PAM with PAM_CAS

S1 HTTP REQ (LOGIN PAGE) (CREDENTIALS) ST PT S1 NETID PGTIOU S2 PGT PT (PT) ST (+TGC) (SET TGC)

(PHP-SESSION)

PGT-URL PGT PGTIOU pgt-url ok? NETID NETID PT (LT) (LT)

Integration of N-tiers application velpi@groupt.be 35

login scenario

CAS SERVER BROWSER Horde / IMP with phpCAS CLIENT IMAP SERVER IMAP PROXY PAM with PAM_CAS

S1 HTTP REQ (LOGIN PAGE) (CREDENTIALS) ST PT S1 NETID PGTIOU S2 PGT PT S2 NETID PT (PT) ST (+TGC) (SET TGC)

(PHP-SESSION)

PGT-URL PGT PGTIOU pgt-url ok? =? NETID NETID S1(proxy[]) PT (LT) (LT)

Integration of N-tiers application velpi@groupt.be 36

login scenario: ProxyTicket (PT) validation

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>NetID</cas:user> <cas:proxyGrantingTicket>PGTIOU</cas:proxyGrantingTicket> <cas:proxies> <cas:proxy>proxy1</cas:proxy> <cas:proxy>proxy2</cas:proxy> ... </cas:proxies> </cas:authenticationSuccess> </cas:serviceResponse>

Integration of N-tiers application velpi@groupt.be 37

login scenario

CAS SERVER BROWSER Horde / IMP with phpCAS CLIENT IMAP SERVER IMAP PROXY PAM with PAM_CAS

S1 HTTP REQ (LOGIN PAGE) (CREDENTIALS) ST PT S1 NETID PGTIOU S2 PGT PT S2 NETID PT (PT) ST (+TGC) (SET TGC)

(PHP-SESSION)

PGT-URL PGT PGTIOU pgt-url ok? =? NETID NETID S1(proxy[]) PT (LT) (LT)

Integration of N-tiers application velpi@groupt.be 38

login scenario

CAS SERVER BROWSER Horde / IMP with phpCAS CLIENT IMAP SERVER IMAP PROXY PAM with PAM_CAS

S1 HTTP REQ (LOGIN PAGE) (CREDENTIALS) ST PT S1 NETID PGTIOU S2 PGT PT S2 NETID PT (PT) persistent connection ST imap (+TGC) (SET TGC)

(PHP-SESSION)

PGT-URL PGT PGTIOU pgt-url ok? =? NETID NETID S1(proxy[]) PT (LT) (LT)

Integration of N-tiers application velpi@groupt.be 39

login scenario

CAS SERVER BROWSER Horde / IMP with phpCAS CLIENT IMAP SERVER IMAP PROXY PAM with PAM_CAS

S1 HTTP REQ (LOGIN PAGE) (CREDENTIALS) ST PT S1 NETID PGTIOU S2 PGT HTTP RESP PT S2 NETID PT (PT) persistent connection ST imap (+TGC) (SET TGC)

(PHP-SESSION) PHP-SESSION

PGT-URL PGT PGTIOU pgt-url ok? =? NETID NETID S1(proxy[]) PT (LT) (LT)

Integration of N-tiers application velpi@groupt.be 40

login scenario

CAS SERVER BROWSER Horde / IMP with phpCAS CLIENT IMAP SERVER IMAP PROXY PAM with PAM_CAS

HTTP REQ HTTP RESP PT persistent connection imap

(PHP-SESSION) PHP-SESSION

NETID

Integration of N-tiers application velpi@groupt.be 41

login scenario

CAS SERVER BROWSER Horde / IMP with phpCAS CLIENT IMAP SERVER IMAP PROXY PAM with PAM_CAS

HTTP REQ S2 PGT HTTP RESP PT S2 NETID PT PT persistent connection imap

(PHP-SESSION) PHP-SESSION

=? NETID NETID S1(proxy[]) PT

Integration of N-tiers application velpi@groupt.be 42

Tickets...

• LT: Login Ticket

timeout for login page: if user typed password but didn't press login

• TGC: Ticket Granting Cookie

browser cookie with CAS-server: Single Sign On (https; host scope!)

• ST: Service Ticket

CAS->service using browser get, user+service specific, validated

• PGT: Proxy Granting Ticket

CAS->service directly using https, user+service specific

• PGTIOU: Proxy Granting Ticket IOU

also sent with PGT so webapp can correlate with netID

• PT: Proxy Ticket

CAS->proxy->backend ~ password, user(+proxy)+service2 specific

Integration of N-tiers application velpi@groupt.be 43

Integration of N-tiers application

Introducing CAS Proxy CAS login scenario Implementing proxy CAS Beyond...

Integration of N-tiers application velpi@groupt.be 44

Implementing proxy CAS

• IMAPPROXY

=> standard :) & absolutely necessary now

• IMAP: pam enabled

=> pam_cas

standard pam; openssl dependency

• Apache/horde/IMP

=> phpCAS+glue code; Apache—CAS trust

phpCAS client library using ESUP glue-code

Integration of N-tiers application velpi@groupt.be 45

Implementing: IMAPPROXY

• Requires no changes :)

Keeps the IMAP connection alive and checks if PT (“password”) is still the same using a hash => PT “replayed” to local IMAPPROXY

(IMAPPROXY+)

~0min

http://www.imapproxy.org

Integration of N-tiers application velpi@groupt.be 46

Implementing: IMAP&pam_cas

• Compile it: pam_cas.so

needs: pam devel, openssl devel

• Configure it: pam_cas.conf

needs to trust CA cert of CAS-server!

• Enable it: /etc/pam.d/imap

http://www.ja-sig.org/wiki/display/CASC/PAM+Module

Integration of N-tiers application velpi@groupt.be 47

Implementing: IMAP&pam_cas

/etc/pam.d/imap

auth sufficient /lib/security/pam_cas.so

• simap://localhost
• f/etc/security/pam_cas.conf
• ptions: -s serviceID -e excludeUser -f configurationFile

required: this really has to be ok, though pam continues to check the other modules requisite: if this is not ok, it's not ok and do not continue checking the others sufficient: if this is ok, it's ok and do not continue checking the others

• ptional: only decides if no other flags decided before or after

You'll probably want to chain pam_cas with pam_unix, pam_ldap, ... pam_cas only tries validation on ticket-shaped passwords (eg PT-1-nFBuJY5SdWiuSvb3BPxn) this might be someone's real password ;) but that's unlikely => put pam_cas first as sufficient or last as required/requisite, depending on setup

(IMAP+)

~2h

Integration of N-tiers application velpi@groupt.be 48

Implementing: Apache--CAS

• Apache/PHP that powers Horde (cURL lib)

checks hostname-certificate of CAS-server

• Reason: ST validation,PT requests (w PGT)

Note: CURLOPT_SSL_VERIFYPEER is set to 0 in client.php, you may want to change that, but then you need a tiny adjustment in apache conf (mod_ssl):

• ----------httpd.conf------------

SSLCertificateFile /etc/pki/myHORDEserver.pem SSLCertificateChainFile /etc/pki/ca_cert.pem #added for the trust mechanism---- SSLCACertificateFile /etc/pki/ca_cert.pem #----added

(SSL+)

~5min

Integration of N-tiers application velpi@groupt.be 49

Implementing: Apache--CAS

IMPORTANT NOTE (proxy CAS only):

• CAS-server also needs to trust certificate of

Apache/PHP

• Reason: PGT sent in request by CAS-server
• Ok: Java truststore (cacerts) contains CA's

If using a self-signed cert at apache (not good!) or unknown CA: $ keytool -import -trustcacerts -alias "sensible-name-for-ca" -file CAcert.crt

• keystore $JAVA_HOME/lib/security/cacerts

(default pwd=changeme)

(SSL+)

~0min

Integration of N-tiers application velpi@groupt.be 50

Implementing: Horde3/IMP4

• install phpCAS

– cp -r source/CAS/* $HORDE_DIR/lib/CAS/

• install glue-code (from ESUP package)

– cp $CAS_DIR/cas.php $HORDE_DIR/lib/Horde/Auth/ – cp $CAS_DIR/casProxy.php $HORDE_DIR/

• patch Horde&IMP

– imp/lib/IMAP.php: to fetch new PT if needed – config/conf.xml: easy admin configuration [recommended] – config/hooks.php: _cas_hook_authorisation() to a backend (Horde+)

~4h

http://wiki.horde.org/CASAuthHowTo

Integration of N-tiers application velpi@groupt.be 51

Implementing

CAS SERVER BROWSER Horde / IMP with phpCAS CLIENT IMAP SERVER IMAP PROXY PAM with PAM_CAS

(IMAPPROXY+)

~0min

(IMAP+)

~2h

compile,install,configure (Horde+)

~4h

install, patch, configure configure if using allowedServices

Integration of N-tiers application velpi@groupt.be 52

Implementing proxy CAS

• CAS Server: 1-2days, fully operational

(excl Java, Spring, auth backend)

• “regular” CAS client: ½ day....

(excl knowing the technology of the application)

• Proxy CAS client: ½ week.... BUT ALSO

BUT ALSO

Integration of N-tiers application velpi@groupt.be 53

Implementing: the catch...

• Think about everything that can go

wrong when using SSL and add some

• Distributed systems & knowledge

eg: case insensitive login at the CAS server but not proxy, firewalls s...

• Multiple technologies & knowledge

Integration of N-tiers application velpi@groupt.be 54

Implementing: the beauty...

• Multiple deployments since 2006
• K.U.Leuven:

– 2 front-end Horde web-servers (Apache) – 4 backend mail-servers (UW-IMAP on AIX) – ~40000 users (total)

• ~40000/d webmail logins
• ~60000/d portlet logins
• No stability issues so far...

Integration of N-tiers application velpi@groupt.be 55

Integration of N-tiers application

Introducing CAS Proxy CAS login scenario Implementing proxy CAS Beyond...

Integration of N-tiers application velpi@groupt.be 56

Beyond...: portals & webservices

• Email portlet/building block for Blackboard
• <create your own client>: various libs
• Webservices...

http://www.ja-sig.org/wiki/display/CASC/Home

Integration of N-tiers application velpi@groupt.be 57

Beyond...: SAML

• CAS supports 1-tier SAML1.1/2.0 (Google)
• PAML: Pluggable Authentication Mod-AML?
• KAML: IETF Kerberos-SAML discussions

Integration of N-tiers application velpi@groupt.be 58

Integration of N-tiers application

Introducing CAS Proxy CAS login scenario Implementing proxy CAS Beyond...

?

References: http://www.ja-sig.org/products/cas/ http://www.ja-sig.org/wiki/display/CAS/Proxy+CAS+Walkthrough http://www.ja-sig.org/wiki/display/CASUM/Home http://www.esup-portail.org/consortium/espace/Comm_2D/Horde/PackageInstall.html http://shib.kuleuven.be/docs/horde3-cas/