Single Sign On and Authorization Infrastructure using CAS 2 Shoji - - PowerPoint PPT Presentation

single sign on and authorization
SMART_READER_LITE
LIVE PREVIEW

Single Sign On and Authorization Infrastructure using CAS 2 Shoji - - PowerPoint PPT Presentation

Aug 15, 2023 129 likes •318 views

Single Sign On and Authorization Infrastructure using CAS 2 Shoji KAJITA (Information Technology Center, Nagoya University) and Hisashi NAITO (Graduate School of Mathematics, Nagoya University) Jan. 22 2006, APAN 21st Conference p. 1/16

slide-1
SLIDE 1

Single Sign On and Authorization Infrastructure using CAS2

Shoji KAJITA (Information Technology Center, Nagoya University) and Hisashi NAITO (Graduate School of Mathematics, Nagoya University)

  • Jan. 22 2006, APAN 21st Conference – p. 1/16
slide-2
SLIDE 2

Plan of Talk

Short introduction for CAS and CAS2 Authentication mechanism of CAS and Authorization mechanism of CAS2 “Nagoya University Portal” using CAS2 Summary

  • Jan. 22 2006, APAN 21st Conference – p. 2/16
slide-3
SLIDE 3

What is CAS & CAS2

CAS Single Sign On Environment for Web Applications Open Source software depeloped by Yale University CAS2 We extends to Authorization Environment for Web Applications CAS2 controls Access Rights for each Web Application WHO WHEN from WHERE

  • Jan. 22 2006, APAN 21st Conference – p. 3/16
slide-4
SLIDE 4

Usual Authentication and Authorization

Web Browser Web Application USER DB 1 2 Web Application must includes AuthN & AuthZ codes Web Application directly accesses to USER DB to obtain User Informations Web Application has a password to access to USER DB

  • Jan. 22 2006, APAN 21st Conference – p. 4/16
slide-5
SLIDE 5

Mechanism CAS and CAS2

Web Browser Web Application CAS Server USER DB

  • Jan. 22 2006, APAN 21st Conference – p. 5/16
slide-6
SLIDE 6

Mechanism CAS and CAS2

Web Browser Web Application CAS Server USER DB Login Window

  • Jan. 22 2006, APAN 21st Conference – p. 6/16
slide-7
SLIDE 7

Mechanism CAS and CAS2

Web Browser Web Application CAS Server USER DB Login Window

Authentication Service Authorization

  • Jan. 22 2006, APAN 21st Conference – p. 7/16
slide-8
SLIDE 8

Mechanism CAS and CAS2

Web Browser Web Application CAS Server USER DB TGC ST

AA Results

  • Jan. 22 2006, APAN 21st Conference – p. 8/16
slide-9
SLIDE 9

Mechanism CAS and CAS2

Web Browser Web Application CAS Server USER DB TGC ST

AA results

  • Jan. 22 2006, APAN 21st Conference – p. 9/16
slide-10
SLIDE 10

Mechanism CAS and CAS2

Web Browser Web Application CAS Server USER DB TGC ST

Authorization

  • Jan. 22 2006, APAN 21st Conference – p. 10/16
slide-11
SLIDE 11

Mechanism CAS and CAS2

Web Browser Web Application CAS Server USER DB TGC

AA Authorization Result

  • Jan. 22 2006, APAN 21st Conference – p. 11/16
slide-12
SLIDE 12

Mechanism CAS and CAS2

Ticket Granting Cookie (TGC) If Browser has TGC, Browser is Authenticated Service Ticket (ST) One Time Ticket for accessing to Web Application Including Authorization Information If ST is valid, the access is Authorized

  • Jan. 22 2006, APAN 21st Conference – p. 12/16
slide-13
SLIDE 13

Authorization Mechanisum of CAS2

Data Base for Authorization (CAS-ACL) CAS-ACL is Access Permission Lists of FOR WHICH Web Application (target URL) WHO (User Information) WHEN (Access Time) FROM WHERE (Client Information) ST has an information that the access matches which entry

  • f CAS-ACL
  • Jan. 22 2006, APAN 21st Conference – p. 13/16
slide-14
SLIDE 14

Example of CAS-ACL

dn: cn=entry1,ou=gakumu,ou=cas,o=nagoyaUniv cas-allow: (&(uid=naito)(date>=20051010) (date<=20051110)(IP=133.6.130.0/24)) cas-service: https://app.*\.mynu\.jp/.+ cas-attributes: uid,mailAddress,IdNo,FullName,dn

When URL matches to https://app.*\.mynu\.jp/.+ uid is naito Access time is between 2005/10/10 and 2005/11/10 Client IP: 133.6.130.0/24 then the access is granted. CAS Server send User information uid,mailAddress,IdNo,FullName,dn to the Web Application

  • Jan. 22 2006, APAN 21st Conference – p. 14/16
slide-15
SLIDE 15

CAS2 in Nagoya University

Web Applications using CAS2 in Nagoya University Nagoya University Portal Course Registration System 10000 Students and 2000 Faculties Researcher Database 2000 Faculties Web CT

· · ·

These Applications are Single Sign On Access Controled by CAS2

  • Jan. 22 2006, APAN 21st Conference – p. 15/16
slide-16
SLIDE 16

Summary

CAS2 is easy to use: Easy to construct Single Sign On Environment Easy to construct Unified Authorization Environment Easy to modify Application to use CAS: Only modify to use CAS client module for Authentication and Autorization ONLY SSL for encryption CAS2 is secure: Web Application does not handle Authentication Information Web Application does not directly access to USER DB

  • Jan. 22 2006, APAN 21st Conference – p. 16/16