SLIDE 1
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
Jan Du Caju
ICT security officer
K.U.Leuven
Belgium
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
Integration of N-tiers application Using CAS Single Sign On system - - PowerPoint PPT Presentation
Integration of N-tiers application Using CAS Single Sign On system - - PowerPoint PPT Presentation
EuroCAMP 8may2008 Integration of N-tiers application Using CAS Single Sign On system with Horde webmail Jan Du Caju ICT security officer K.U.Leuven Belgium Jan.DuCaju@icts.KULeuven.be EuroCAMP 8may2008 Integration of N-tiers application
SLIDE 2
SLIDE 3
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
Integration of N-tiers application Using CAS Single Sign On system with Horde webmail
context association K.U.Leuven N-tiers problem space Proxy CAS The gory details Future Conclusions
SLIDE 4
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
Introduction: context association K.U.Leuven
educational landscape reflects political situation association K.U.Leuven
1 university and 12 schools
- f higher education
Need for resource sharing
2004: Shibboleth for institutional and inter-institutional web resources
SLIDE 5
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
Introduction: context association K.U.Leuven
Every institution of association K.U.Leuven has its own central AAI (Authentication and Authorization Infrastructure incl.
Shibboleth IdP and CAS)
Resources
e-learning: Blackboard and other coupled education apps library: Ex Libris, and access to scientific papers, publications and databases work place context: intranet, webmail, groupware and inter-institutional offers research context: HPC et al administrative and organizational context: SAP
Federations
K.U.Leuven (institutional) Association K.U.Leuven K.U.Leuven - UZLeuven (university hospital) Not yet :-\ a national federation at NREN level (Belnet)
SLIDE 6
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
Integration of N-tiers application Using CAS Single Sign On system with Horde webmail
context association K.U.Leuven N-tiers problem space Proxy CAS The gory details Future Conclusions
SLIDE 7
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
N-tiers problem space
browser webmail imap server uid pw
SLIDE 8
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
N-tiers problem space
browser webmail imap server uid pw uid pw
SLIDE 9
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
N-tiers problem space
browser webmail imap server uid pw uid pw
Goal
- Password does not pass application
- Secure (no caching of passwords, ...)
- Single Sign-On
SLIDE 10
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
Originally open-source WebISO
developed by Yale University JA-SIG project since December 2004
Loosely based on Kerberos passwords are replaced by tickets (≈ one-time passwords) Server: Java & Spring framework Client: lots of implementations and libraries
CAS
SLIDE 11
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
CAS
browser webmail imap server CAS server a trusted arbiter
- f authenticity
back-end service proxy: service that wants to access other service on behalf of a particular user
SLIDE 12
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
CAS
browser webmail imap server CAS server
SLIDE 13
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
CAS
browser webmail S1 imap server CAS server service S1=https://webmail.kuleuven.be
SLIDE 14
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
CAS
browser webmail S1 imap server CAS server login page
SLIDE 15
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
CAS
browser webmail uid pw S1 imap server CAS server login
SLIDE 16
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
CAS
browser webmail uid pw ST TGC S1 imap server CAS server service ticket ST Ticket Granting Cookie TGC
SLIDE 17
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
CAS
browser webmail uid pw ST TGC S1 imap server CAS server verification of service ticket
SLIDE 18
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
CAS
browser webmail uid pw S1 imap server CAS server ST TGC
SLIDE 19
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
N-tiers problem space
browser webmail uid pw S1 imap server CAS server ? ST TGC
SLIDE 20
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
Integration of N-tiers application using CAS Single Sign On system with Horde webmail
context association K.U.Leuven N-tiers problem space Proxy CAS The gory details Future Conclusions
SLIDE 21
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
Proxy CAS
browser webmail uid pw S1 imap server CAS server ST TGC additional: Proxy Granting Ticket URL
SLIDE 22
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
Proxy CAS
browser webmail uid pw S1 imap server CAS server ST TGC
SLIDE 23
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
Proxy CAS
browser webmail uid pw S1 PGTIOU PGT imap server CAS server
PGT-URL
ST TGC PGTIOU to correlate PGT with uid
SLIDE 24
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
Proxy CAS
browser webmail uid pw S1 PGTIOU PGT S2 PGT imap server CAS server ST TGC service S2=imap://imap.kuleuven.be
SLIDE 25
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
Proxy CAS
browser webmail uid pw S1 PGTIOU PGT S2 PGT PT imap server CAS server ST TGC Proxy Ticket
SLIDE 26
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
Proxy CAS
browser webmail uid pw S1 PGTIOU PGT S2 PGT PT PT uid imap server CAS server ST TGC
SLIDE 27
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
Proxy CAS
browser webmail uid pw S1 PGTIOU PGT S2 PGT PT PT uid S2 PT imap server CAS server ST TGC
SLIDE 28
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
Proxy CAS
browser webmail uid pw S1 PGTIOU PGT S2 PGT PT PT uid S2 PT uid imap server CAS server ST TGC
SLIDE 29
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
Proxy CAS
browser webmail imap server CAS server uid pw S1 PGTIOU PGT S2 PGT PT PT uid S2 PT uid ST TGC
SLIDE 30
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
Integration of N-tiers application using CAS Single Sign On system with Horde webmail
context association K.U.Leuven N-tiers problem space Proxy CAS The gory details Future Conclusions
SLIDE 31
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
The gory details
browser webmail imap server PT uid S2 PT uid PAM_CAS imap proxy persistent imap connection php CAS CAS server
SLIDE 32
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
The gory details imap server PAM_CAS: exchange of tickets with CAS server Horde IMP webmail server
- standard: Apache, php, Horde IMP
- imap proxy: keeps an persistent imap connection
mostly implemented for performance but has the additional advantage that there is no need for new PT (Proxy Ticket) for each request
- phpCAS client: exchange of tickets with CAS server
- ESUP glue-code to let phpCAS client & Proxy CAS
communicate seamlessly with Horde IMP
SLIDE 33
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
Integration of N-tiers application Using CAS Single Sign On system with Horde webmail
context association K.U.Leuven N-tiers problem space Proxy CAS The gory details Future Conclusions
SLIDE 34
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
Future
K.U.Leuven needs calendar functionality moving from imap to MS Exchange Working proof-of-concept ADFS-enabled OWA (Outlook Web Access) integrated with our Shibboleth IdP Implementation: summer 2008
SLIDE 35
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
Integration of N-tiers application Using CAS Single Sign On system with Horde webmail
context association K.U.Leuven N-tiers problem space Proxy CAS The gory details Future Conclusions
SLIDE 36
EuroCAMP 8may2008 Jan.DuCaju@icts.KULeuven.be
Conclusion
Philip Brusten http://shib.kuleuven.be Jan Van der Velpen (CAS http://kuleuven.be/english developper) http://associatie.kuleuven.be/eng http://www.ja-sig.org/cas http://esup-portal.org
Credits URL’s
Integration of N-tiers applications
- dependent on application
- ne possibility by means of Proxy CAS