Single sign-on enabled OpenCms Architecture for Single sign-on - - PowerPoint PPT Presentation

single sign on enabled opencms
SMART_READER_LITE
LIVE PREVIEW

Single sign-on enabled OpenCms Architecture for Single sign-on - - PowerPoint PPT Presentation

Jun 12, 2023 709 likes •959 views

Single sign-on enabled OpenCms Architecture for Single sign-on implementation into OpenCms Pavel Slav ek, pavel.slavicek@qbizm.cz Brno, The Czech Republic, 2. 5. 2008 Content Single sign-on introduction (SSO) Introduction to

slide-1
SLIDE 1

Single sign-on enabled OpenCms

Architecture for Single sign-on implementation into OpenCms

► Pavel Slavíček, pavel.slavicek@qbizm.cz

Brno, The Czech Republic, 2. 5. 2008

slide-2
SLIDE 2

Content

► Single sign-on introduction (SSO) » Introduction to Single sign-on ► SSO protocols » Basic mechanisms » Simplified mechanisms of CAS, NTLM, Kerberos ► Implementation of SSO into OpenCms » General architecture » Architecture for concrete protocol ► Experiences » Our experiences in real projects

slide-3
SLIDE 3

What is Single sign-on?

slide-4
SLIDE 4

Single sing-on

► Method of access control ► User enters his credentials once and has

access to multiple applications

» Without the need to enter multiple passwords

► Heterogeneous systems

» Intranet, emails, stock system, ...

► Comfortable for users

slide-5
SLIDE 5

Single sing-on

► Advantages » Reduces sending password over the network etc. » Reduces human error » Comfortable for users » …

Disadvantages

» Single sign-on component failure » Single sign-on component must be component with high security » …

slide-6
SLIDE 6

Protocols for Single sing-on

► Central Authentication Service (CAS) ► NTLM (NT Lan Manager) ► Kerberos ► And others

» CoSign (cookie based) » OpenSSO (Sun Java System Access Manager) » …

slide-7
SLIDE 7

Single sign-on concepts and protocols

slide-8
SLIDE 8

Central Authentication Service (CAS)

► Yale University

JA-SIG project

► Mostly used for web applications ► Features

» Involves a client web browser » Cookies based mechanism » Password is send over network (https)

slide-9
SLIDE 9

Central Authentication Service (CAS)

slide-10
SLIDE 10

NTLM (NT Lan Manager)

► Microsoft authentication protocol ► ,,Old” protocol » Microsoft adopted Kerberos » In several cases Kerberos can’t be used ► Features » Challenge-reponse sequence » Messages between client and server » Password is not send over the network (Hash, DES)

slide-11
SLIDE 11

NTLM (NT Lan Manager)

slide-12
SLIDE 12

Kerberos

► Massachusetts Institute of Technology (MIT) ► Protocol was adopted by Microsoft » Windows 2000 and Windows Active Directory server 2003 ► Features » Client-server model, mutual-authentication » Symetric key kryptography » Over non-secure networks (eavesdropping, replay) » Password is not send over the network

slide-13
SLIDE 13

Kerberos

slide-14
SLIDE 14

Architecture for SSO implementation into OpenCms

slide-15
SLIDE 15

General architecture

Concrete architecture depends on chosen Single sing-on protocol

We do not have user’s password

» We have to trust to Single sing-on component » Special authentication mechanism › We have to implement own user driver › User name transforming › We have to modify authentication mechanisms in OpenCms

Central user’s account storage

» User’s account synchronization from LDAP server › OCEE Modules from Alkacon › OpenCms-LDAP module from sourceforge.net

slide-16
SLIDE 16

General architecture

Filter OpenCms Auth. prov. Central user’s account storage Accounts synch. User Driver LDAP (AD) OCEE/ OpenCms- LDAP

slide-17
SLIDE 17

CAS

Filter OpenCms CAS server LDAP/… Accounts synch. User Driver Login/logout

  • Ticket
  • Cookie
slide-18
SLIDE 18

NTLM

Filter OpenCms AD Accounts synch. User Driver

  • Challenge-

response

  • JCIFS
slide-19
SLIDE 19

Kerberos

Filter OpenCms KDC Central user’s account storage Accounts synch. User Driver Secret

  • ServiceTicket
  • Decryption
slide-20
SLIDE 20

Experiences with Single sign-on

slide-21
SLIDE 21

Experiences with Single sing-on in real projects

► Popular, user friendly ► Good feedback from customers ► Projects » CAS › Intranet/extranet › Over 30 000 of users » NTLM › Intranet, company with affiliates › About 5 000 of users » Kerberos › Intranet

slide-22
SLIDE 22

Summary

► Single sing-on is attractive for customers ► Usefully for intranets ► Architectures of modules were presented ► Implementation of our modules are based on

presented architectures

» Knowledge of Single sing-on mechanisms

slide-23
SLIDE 23

► Thank you for your attention,

any questions?

slide-24
SLIDE 24

References

[1] Introduction to Single Sign-On, http://www.opengroup.org/security/sso/sso_intro.htm/ [2] Single sign-on, http://en.wikipedia.org/wiki/Single_sign-on [3] Central Authentication Service, http://en.wikipedia.org/wiki/Central_Authentication_Service [4] NTLM, http://en.wikipedia.org/wiki/NTLM [5] Kerberos, http://en.wikipedia.org/wiki/Kerberos_(protocol) [6] The Java CIFS Client Library, http://jcifs.samba.org/ [7] JA-SIG Central Authentication Service, http://www.ja-sig.org/products/cas/ [8] TagLab, http://dev.taglab.com/ [9] Single Sign On Concepts & Protocols, http://www.sans.org/reading_room/whitepapers/authentication/1352.php