Get documents about "Integration of N-tiers application Using CAS Single Sign On system
Document Sample
EuroCAMP 8may2008
Integration of N-tiers application
Using CAS Single Sign On system
with Horde webmail
Jan Du Caju
ICT security officer
K.U.Leuven
Belgium
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
Integration of N-tiers application
Using CAS Single Sign On system
with Horde webmail
context association K.U.Leuven
N-tiers problem space
Proxy CAS
The gory details
Future
Conclusions
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
Integration of N-tiers application
Using CAS Single Sign On system
with Horde webmail
context association K.U.Leuven
N-tiers problem space
Proxy CAS
The gory details
Future
Conclusions
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
Introduction: context association K.U.Leuven!
educational landscape reflects
political situation
association K.U.Leuven
1 university and 12 schools
of higher education
Need for resource sharing
2004: Shibboleth for institutional
and inter-institutional web
resources
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
Introduction: context association K.U.Leuven!
Every institution of association K.U.Leuven has its own
central AAI (Authentication and Authorization Infrastructure incl.
Shibboleth IdP and CAS)
Resources
e-learning: Blackboard and other coupled education apps
library: Ex Libris, and access to scientific papers, publications and databases
work place context: intranet, webmail, groupware and inter-institutional offers
research context: HPC et al
administrative and organizational context: SAP
Federations
K.U.Leuven (institutional)
Association K.U.Leuven
K.U.Leuven - UZLeuven (university hospital)
Not yet :-\ a national federation at NREN level (Belnet)
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
Integration of N-tiers application
Using CAS Single Sign On system
with Horde webmail
context association K.U.Leuven
N-tiers problem space
Proxy CAS
The gory details
Future
Conclusions
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
N-tiers problem space!
imap
server
uid pw
browser webmail
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
N-tiers problem space!
imap
server
uid pw
uid pw
browser webmail
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
N-tiers problem space!
Goal imap
- Password does not pass application server
- Secure (no caching of passwords, ...)
- Single Sign-On
uid pw
uid pw
browser webmail
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
CAS!
Originally open-source WebISO
developed by Yale University
JA-SIG project since December 2004
Loosely based on Kerberos
passwords are replaced by tickets (≈ one-time
passwords)
Server: Java & Spring framework
Client: lots of implementations and libraries
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
CAS!
CAS imap
server server
a trusted arbiter back-end service
of authenticity
proxy: service that wants
to access other service on
behalf of a particular user
browser webmail
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
CAS!
CAS imap
server server
browser webmail
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
CAS!
CAS imap
server server
service S1=https://webmail.kuleuven.be
S1
browser webmail
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
CAS!
CAS imap
server server
login page
browser S1 webmail
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
CAS!
CAS imap
server server
login
uid
pw
browser S1 webmail
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
CAS!
CAS imap
server server
ST
TGC
service ticket ST
Ticket Granting Cookie TGC
uid
pw
browser S1 webmail
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
CAS!
CAS imap
server server
ST
TGC
verification of service ticket
uid
pw
browser S1 webmail
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
CAS!
CAS imap
server server
ST
TGC
uid
pw
browser S1 webmail
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
N-tiers problem space!
CAS imap
server server
ST
TGC
?
uid
pw
browser S1 webmail
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
Integration of N-tiers application
using CAS Single Sign On system
with Horde webmail
context association K.U.Leuven
N-tiers problem space
Proxy CAS
The gory details
Future
Conclusions
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
Proxy CAS!
CAS imap
server server
ST
TGC
additional: Proxy
Granting Ticket URL
uid
pw
browser S1 webmail
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
Proxy CAS!
CAS imap
server server
ST
TGC
uid
pw
browser S1 webmail
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
Proxy CAS!
CAS PGTIOU imap
PGT
server server
ST PGTIOU to correlate
TGC PGT with uid
uid
pw
PGT-URL
browser S1 webmail
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
Proxy CAS!
CAS imap
PGTIOU
server PGT server
ST
TGC
service S2=imap://imap.kuleuven.be
S2
uid
PGT
pw
browser S1 webmail
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
Proxy CAS!
PT
CAS Proxy Ticket imap
PGTIOU
server PGT server
ST
TGC
S2
uid
PGT
pw
browser S1 webmail
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
Proxy CAS!
PT
CAS imap
PGTIOU
server PGT server
ST
TGC
S2 PT
uid
PGT uid
pw
browser S1 webmail
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
Proxy CAS!
S2 PT
PT
CAS imap
PGTIOU
server PGT server
ST
TGC
S2 PT
uid
PGT uid
pw
browser S1 webmail
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
uid
Proxy CAS!
S2 PT
PT
CAS imap
PGTIOU
server PGT server
ST
TGC
S2 PT
uid
PGT uid
pw
browser S1 webmail
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
uid
Proxy CAS!
S2 PT
PT
CAS imap
PGTIOU
server PGT server
ST
TGC
S2 PT
uid
PGT uid
pw
browser S1 webmail
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
Integration of N-tiers application
using CAS Single Sign On system
with Horde webmail
context association K.U.Leuven
N-tiers problem space
Proxy CAS
The gory details
Future
Conclusions
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
uid
The gory details!
S2 PT
PAM_CAS
CAS imap
server server
persistent
imap
connection
PT
uid
php imap
CAS proxy
browser webmail
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
The gory details!
imap server
PAM_CAS: exchange of tickets with CAS server
Horde IMP webmail server
- standard: Apache, php, Horde IMP
- imap proxy: keeps an persistent imap connection
mostly implemented for performance but has the
additional advantage that there is no need for new PT
(Proxy Ticket) for each request
- phpCAS client: exchange of tickets with CAS server
- ESUP glue-code to let phpCAS client & Proxy CAS
communicate seamlessly with Horde IMP
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
Integration of N-tiers application
Using CAS Single Sign On system
with Horde webmail
context association K.U.Leuven
N-tiers problem space
Proxy CAS
The gory details
Future
Conclusions
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
Future
K.U.Leuven needs calendar functionality
moving from imap to MS Exchange
Working proof-of-concept
ADFS-enabled OWA (Outlook Web Access)
integrated with our Shibboleth IdP
Implementation: summer 2008
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
Integration of N-tiers application
Using CAS Single Sign On system
with Horde webmail
context association K.U.Leuven
N-tiers problem space
Proxy CAS
The gory details
Future
Conclusions
Jan.DuCaju@icts.KULeuven.be
EuroCAMP 8may2008
Conclusion
Integration of N-tiers applications
- dependent on application
- one possibility by means of Proxy CAS
Credits URL’s
Philip Brusten http://shib.kuleuven.be
Jan Van der Velpen (CAS http://kuleuven.be/english
developper) http://associatie.kuleuven.be/eng
References
http://www.ja-sig.org/cas http://esup-portal.org
Jan.DuCaju@icts.KULeuven.be
Related docs
