ClearPass - Unicon · 5 ClearPass Free and Open Source Software Extending CAS to... – capture the...
Transcript of ClearPass - Unicon · 5 ClearPass Free and Open Source Software Extending CAS to... – capture the...
ClearPassA CAS Extension Enabling
Credential Replay
Andrew PetroUnicon, Inc.
Jasig 2010San Diego, CA09 March 2010
© Copyright Unicon, Inc., 2008-2010. Some rights reserved. This work is licensed under aCreative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/
http://www.ja-sig.org/wiki/display/CASUM/ClearPass
2
Disclaimers
Personal Opinions are my ownOpinions herein are my own, and are not necessarily those of my employer, of Jasig, of the Jasig CAS steering committee, or of anyone else.
CC-NC-SA Disclaims WarrantyCreative Commons licenses have some fantastic language for disclaiming warranties. That's in part why speakers use them.
3
Agenda
1. What is ClearPass?
2. How does ClearPass work?
3. uPortal example
4. Outlook Web Access example
5. Continued adoption in new environments
6. Questions?
5
ClearPass
● Free and Open Source Software● Extending CAS to...
– capture the end user's password at login
– And selectively release this password to authorized applications
● Like, say, an enterprise portal
6
Whence?
● Developed by Unicon for Sacramento State University and released as Free and Open Source Software
● Updated by Scott Battaglia via effort funded through Unicon's Cooperative Support for CAS Cooperative Development program
7
Concretely, what?
● Extensions to Jasig CAS to capture and expose credentials
● Extensions to Jasig uPortal to consume the credentials
● https://www.ja-sig.org/svn/cas-extensions/clearpass/
9
Say what?
● Did I say ClearPass is an extension for releasing the end user's password???
● That sounds like a really bad idea.
11
Passwords are such useful things
● Have you ever given anyone your password?– To anything?
http://www.flickr.com/photos/bulldogsrule/512916347http://creativecommons.org/licenses/by-nc-nd/2.0/
12
Two purposes
● End-user single sign on● N-tier application-to-application-on-behalf-of-
user authentication
17
N-tier authentication
● User authenticates to Application 1● Application 1 authenticates to Application 2
on behalf of User
● How to accomplish this?
18
Options for N-Tier AuthN
● Principled Enterprise SSO regimes with Delegation
● Application-to-application authentication methods with assertion of user identity
● Direct use of end-user credentials
22
Why ClearPass?
● End-user single sign on to difficult-to-CASify Web applications
● N-tier application-to-application-on-behalf-of-user authentication to difficult-to-CASify services
26
CAS 2.0: Proxy CAS
Webapplication
CAS
Webbrowser
S
C
ST
S T
NetID
PGTURL
PGTIOU
PGTIOUPGT
https listener•
27
CAS 2.0: Proxy CAS
Webapplication
CAS
Webbrowser
Back-endapplication
S PGT
PT
PT PT S
NetID
PGTURL
Data
28
Proxiable credentials illustrated
IMP CAS
S TIMAP serverCAS PAM
modulePGT
PGT
PT
PT
PT
-Username
-Identity of web resource
30
ClearPass CAS Extensions
● Capture the password at login● Cache the password● Release the password to authorized
applications
31
Capture password at login
● In a perhaps too-clever way– AuthenticationMetaDataPopulator
● But minimally invasive
32
Declaring the Cacher
<bean
class="org.jasig.cas3.extensions.clearpass.CacheCredentia
lsMetaDataPopulator">
<constructor-arg index="0" ref="credentialsCache" />
</bean>
33
Declaring and injecting
<property name="authenticationMetaDataPopulators">
<list>
<bean
class="org.jasig.cas3.extensions.clearpass.CacheCredentia
lsMetaDataPopulator">
<constructor-arg index="0"
ref="credentialsCache" />
</bean>
</list>
</property>
34
Cache the password
● In an EhCache– So this cache can be shared across CAS server
instances in a cluster
– Can also be just in-memory
36
ClearPassController
public ModelAndView handleRequestInternal(request, res) {
final String userName = request.getRemoteUser();
if (userName != null) {
final String password =
this.credentialsCache.get(userName);
return new ModelAndView(this.successView,
MODEL_CLEARPASS, password);
}
return returnError("No authentication information
provided.");
}
37
Response from /clearpass endpoint
<cas:clearPassResponse
xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:clearPassSuccess>
<cas:credentials>actual_password</cas:credentials>
</cas:clearPassSuccess>
</cas:clearPassResponse>
38
Response from /clearpass endpoint
<cas:clearPassResponse
xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:clearPassSuccess>
<cas:credentials>actual_password</cas:credentials>
</cas:clearPassSuccess>
</cas:clearPassResponse>
39
Wait, the password's in the clear?
● Well, no, not really.● Clearpass callback URL is
– Accessed via HTTPS
– Request authenticated via Proxy CAS Ticket
40
Response from /clearpass endpoint
<cas:clearPassResponse
xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:clearPassSuccess>
<cas:credentials>actual_password</cas:credentials>
</cas:clearPassSuccess>
</cas:clearPassResponse>
41
clearPassSuccess.jsp
<%@ page session="false" %>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"
%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/functions"
prefix="fn" %>
<cas:clearPassResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:clearPassSuccess>
<cas:credentials>$
{fn:escapeXml(credentials)}</cas:credentials>
</cas:clearPassSuccess>
</cas:clearPassResponse>
42
Wait, the password's in the clear?
● Well, no, not really.● Clearpass callback URL is
– Accessed via HTTPS
– Request authenticated via Proxy CAS Ticket
43
Authenticating to ClearPass
● How do applications authenticate to CAS ClearPass to get the password?– Need to authenticate both the application and
participation in a CAS single sign on session
44
Authenticated via PT!
● Use the Jasig CAS Client library itself to authenticate applications to the ClearPass CAS extension!
45
Uses Jasig Java CAS Client
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/clearPass</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-
name>
<url-pattern>/clearPass</url-pattern>
</filter-mapping>
46
Uses Jasig Java CAS Client
<filter> <filter-
class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicke
tValidationFilter</filter-class>
<init-param>
<param-name>serverName</param-name>
<param-value>https://my.clearpass.cas.instance/</param-
value>
</init-param>
<init-param>
<param-name>allowedProxyChains</param-name>
<param-
value>http://my.uportal.edu/CasProxyServlet</param-value>
</init-param> </filter>
47
CAS 2.0: Proxy CAS
Webapplication
CAS
Webbrowser
Back-endapplication
S PGT
PT
PT PT S
NetID
PGTURL
Data
48
CAS 2.0: Proxy CAS
Webapplication
CAS
Webbrowser
CAS ClearPass
S PGT
PT
PT PT S
NetID
PGTURL
Password
Portal
Password Replay
Password-Protected Service
Password-Protected Service
Password-Protected Service
Channel
Channel
Channel
PW
PW
PW
PW
PW
PW
PW
PW
PW
PW
PW
Portal
Password Replay
Password-Protected Service
Password-Protected Service
Password-Protected Service
Portlet
Portlet
Portlet
PW
PW
PW
PW
PW
PW
PW
PW
PW
PW
PW
52
ClearPass uPortal module
● https://www.ja-sig.org/svn/cas-extensions/clearpass/tags/clearpass_1_0_0_ga/clearpass-integration-uportal/
● Plugin for uPortal's SecurityContext API● Implements Password Caching API (supports
password replay)● Implements CAS API (supports CAS proxy
tickets)
Portal
Password Replay Alongside PTs
Password-Protected Service
Password-Protected Service
CAS-Protected Service
Portlet
Portlet
Portlet
PWFrom ClearPassAnd PGT from CAS
PW
PW
PW
PT
PW
PW
PT
PW
PW
PT
PGT
55
Portlets that can use passwords...
● Email preview● Calendar preview● Toro Gateway SSO portlet (for credential
replay through login forms to achieve end-user SSO experience)
● Web Proxy Portlet● Your portlet
56
Password as just an attribute
● A special, important attribute● But just a standard JSR 168 user attribute● Portlet doesn't care whether it came from
ClearPass
57
SSO into Datatel WebAdvisor
● http://www.ja-sig.org/wiki/display/CASC/CASifying+WebAdvisor● ClearPass● uPortal● Toro Gateway SSO portlet
58
(There's more to this story)
● (Apparently Datatel WebAdvisor has an optional add-on product enabling SSO?)
● (So that might be a better option?)● (But probably incurs license fees and uses
proprietary software?)
60
Free Software alternatives to OWA
● While ClearPass-infused heroics can be applied to CASify Outlook Web Access...
● You could instead use something under an Open Source license...
62
CasOwaAuthHandler.cs
● Handles an HTTP request● Obtains a Proxy Ticket to CAS/clearpass● Uses PT to obtain password from
CAS/clearpass● Uses password to internally POST to OWA
login form, reading resulting session cookies● Sends session cookies back to end user
browser (works since running in OWA)● Redirects browser to OWA
64
Bill Thompson(!) forum post
● http://bit.ly/
liferay_jasig_cas_client_forum_discussion
65
Liferay 5 extensions
● http://github.com/wgthom/Cas3Liferay5● Use Jasig Java CAS Client library● Obtain PT● Use PT to obtain Password from ClearPass● Place password into session where Liferay
expects it● Portlets use it as normal
67
ClearPass
● Enables incremental adoption of Enterprise SSO
● Adopt CAS SSO● Use ClearPass to enable legacy integrations● Use CAS and CAS delegated authentication
wherever you can● Improvement: incrementally, less
proliferation of passwords and use of passwords
71
Questions & Answers & Discussion
Andrew PetroSoftware DeveloperUnicon, Inc.
[email protected]/blog/apetro
72
License and Copyleft
© Copyright Unicon, Inc., 2008-2010. Some rights © Copyright Unicon, Inc., 2008-2010. Some rights reserved. This work is licensed under areserved. This work is licensed under a
Creative Commons Attribution-Noncommercial-Share Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.Alike 3.0 United States License.
To view a copy of this license, visit To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/http://creativecommons.org/licenses/by-nc-sa/3.0/us/
73
Acknowledgments
● Bill Thompson for his excellent work developing and documenting Liferay extensions to use Jasig Java CAS Client 3 and ClearPass and OWA extensions to rely upon ClearPass for SSO into OWA.
● http://www.flickr.com/photos/rollerfan/3052241108 (Roller derby timeout image; CC-NC 2.0)