identity management overview: cas and shibboleth
DESCRIPTION
Slide deck from CAS and Shibboleth portion of 15 December 2009 Unicon webinar on CAS, Shibboleth, and VASCO.TRANSCRIPT
![Page 1: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/1.jpg)
Identity Management OverviewCAS and Shibboleth
Andrew Petro, UniconJohn Lewis, Unicon
Adam Dolby, VASCO15 December 2009
Copyright Unicon, Inc., 2009. Some Rights Reserved.
This work is licensed under a Creative Commons Attribution NonCommercial Share Alike 3.0 United States License.
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
Some content drawn from prior presentations at Jasig conferences.
![Page 2: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/2.jpg)
About Unicon
IT Consulting Services for Education, Specializing in Open Source
IT Consulting Services
• Technology Delivery and Support
• Systems Integration
• Software Engineering
Open Source Technology Solutions
• Enterprise Portal
• Identity Management
• Learning Management
• Email and Collaboration
For more information about Unicon, please visit: http://www.unicon.net
Contact us at: 480-558-2400 or [email protected]
![Page 3: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/3.jpg)
Jasig CAS in 15 Minutes
Andrew PetroUnicon, Inc.
See alsohttp://www.unicon.net/blog/3/ten_minute_cas_intro
![Page 4: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/4.jpg)
What is CAS?
open source
single sign on
for the Web
![Page 5: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/5.jpg)
Multi-Sign-On for the Web
![Page 6: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/6.jpg)
At Least with One Username/Password?
![Page 7: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/7.jpg)
All Applications Touch Passwords
![Page 8: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/8.jpg)
Any Compromise Leaks Primary Credentials
![Page 9: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/9.jpg)
Adversary Then Can Run Wild
![Page 10: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/10.jpg)
The Solution
• What if there were only one login form in your
organization, only one application trusted to
touch primary credentials?
![Page 11: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/11.jpg)
Delete Your Login Forms
![Page 12: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/12.jpg)
Webapps No Longer Touch Passwords
![Page 13: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/13.jpg)
Adversary Compromises Only Single Apps
![Page 14: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/14.jpg)
![Page 15: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/15.jpg)
Webapps No Longer Touch Passwords
![Page 16: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/16.jpg)
Provided Authentication Handlers
• LDAP
– Fast bind
– Search and bind
• Active Directory
– LDAP
– Kerberos (JAAS)
• JAAS
• JDBC
• RADIUS
• SPNEGO
• Trusted
• X.509 certificates
• Writing a custom authentication handler is easy
![Page 17: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/17.jpg)
What About Portals?
Need to go get interesting content from different systems.•E-mail
•Calendar
•E-Learning
•Student Information System
![Page 18: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/18.jpg)
Portal
Password Replay
Password-Protected Service
Password-Protected Service
Password-Protected Service
Channel
Channel
Channel
PW
PW
PW
PW
PW
PW
PW
PW
PW
PW
PW
![Page 19: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/19.jpg)
Look Ma, No Password!
• Without a password to replay, how am I going
to authenticate my portal to other
applications?
?
![Page 20: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/20.jpg)
“Proxy” CAS
• Some Web applications “proxy”
authentication to backing services on behalf
of the user
• “Proxied” applications/services may
themselves proxy authentication to others
• CAS authenticates both the end user and the
proxy
![Page 21: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/21.jpg)
CAS – More than Authentication
• Return attributes of logged on users
• Adding support for standards
– OpenID
– SAML
• Single Sign-Out
• RESTful API
• Support for clustering
• Services management
• Remember me (long-term SSO)
![Page 22: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/22.jpg)
CAS Integration Libraries
• Java
• Spring Security
• PHP
• Apache Module
• ASP
• Python
• Ruby
• ...
• Drupal module
• uPortal
• Liferay
• Sakai
• TikiWiki
• ...
![Page 23: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/23.jpg)
Unicon Services for CAS
• Implementation Planning
• Branding and User Experience
• Installation and Configuration
• Custom Development
• Consulting and Mentoring
• CASification of uPortal, Sakai, and other applications
• Upgrades
For more information, please visit
http://www.unicon.net/services/cas
![Page 25: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/25.jpg)
25
Shibboleth &Federated Identities
![Page 26: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/26.jpg)
Shibboleth
Enterprise federated identity software
− Based on standards (principally SAML)
− Extensive architectural work to integrate with existing systems
− Designed for deployment by communities
Most widely used in education, government
Broadly adopted in Europe
2.0 release implements SAML 2
− Backward compatible with 1.3
![Page 27: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/27.jpg)
Shibboleth Project
Free & Open Source
− Apache 2.0 license
Enterprise and Federation oriented
Started 2000 with first released code in 2003
Excellent community support
− http://shibboleth.internet2.edu
![Page 28: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/28.jpg)
Why Federated Identity?
Authoritative information
− Users, privileges, attributes
Improved security
− Fewer user accounts in the world
Privacy when needed
− Fine control over attribute sharing
Saves time & money
− Less work administrating users
![Page 29: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/29.jpg)
What Is SAML?
Security Assertion Markup Language (SAML)
XML-based Open Standard
Exchange authentication and authorization data between
security domains
− Identity Provider (a producer of assertions)
− Service Provider (a consumer of assertions)
Approved by OASIS Security Services
− SAML 1.0 November 2002
− SAML 2.0 March 2005
![Page 30: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/30.jpg)
Major SAML Applications
Proquest
Project MUSE
Thomson Gale
Elsevier ScienceDirect
Google Apps
ExLibris MetaLib
Sakai & Moodle
uPortal
DSpace, Fedora
Ovid
Microsoft DreamSpark
Moodle, Joomla, Drupal
JSTOR, ArtSTOR, OCLC
Blackboard & WebCT
WebAssign & TurnItIn
MediaWiki / Confluence
National Institutes of Health
National Digital Science
Library
![Page 31: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/31.jpg)
How Federated Identity Works
A user tries to access a protected application
The user tells the application where it’s from
The user logs in at home
Home tells the application about the user
The user is rejected or accepted
![Page 32: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/32.jpg)
32
![Page 33: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/33.jpg)
Role of a Federation
Agreed upon Attribute Definitions
− Group, Role, Unique Identifier, Courses, …
Criteria for IdM & IdP practices
− user accounts, credentialing, personal information
stewardship, interoperability standards, technologies, ...
Digital Certificates
Trusted “notary” for all members
Not needed for Federated IdM,
but does make things even easier
![Page 34: Identity Management Overview: CAS and Shibboleth](https://reader033.vdocument.in/reader033/viewer/2022051513/54743bedb4af9fae0a8b562f/html5/thumbnails/34.jpg)
InCommon Federation
Federation for U.S. Higher Education & Research
(and Partners)
Over Three Million Users
163 Organizations
Self-organizing & Heterogeneous
Policy Entrance bar intentionally set low
Doesn’t impose lots of rules and standards
http://www.incommonfederation.org/