Identity Management OverviewCAS and Shibboleth

Andrew Petro, UniconJohn Lewis, Unicon

Adam Dolby, VASCO15 December 2009

Copyright Unicon, Inc., 2009. Some Rights Reserved.

This work is licensed under a Creative Commons Attribution NonCommercial Share Alike 3.0 United States License.

http://creativecommons.org/licenses/by-nc-sa/3.0/us/

Some content drawn from prior presentations at Jasig conferences.

About Unicon

IT Consulting Services for Education, Specializing in Open Source

IT Consulting Services

• Technology Delivery and Support

• Systems Integration

• Software Engineering

Open Source Technology Solutions

• Enterprise Portal

• Identity Management

• Learning Management

• Email and Collaboration

For more information about Unicon, please visit: http://www.unicon.net

Contact us at: 480-558-2400 or info@unicon.net

Jasig CAS in 15 Minutes

Andrew PetroUnicon, Inc.

See alsohttp://www.unicon.net/blog/3/ten_minute_cas_intro

What is CAS?

open source

single sign on

for the Web

Multi-Sign-On for the Web

At Least with One Username/Password?

All Applications Touch Passwords

Any Compromise Leaks Primary Credentials

Adversary Then Can Run Wild

The Solution

• What if there were only one login form in your

organization, only one application trusted to

touch primary credentials?

Delete Your Login Forms

Webapps No Longer Touch Passwords

Adversary Compromises Only Single Apps

Webapps No Longer Touch Passwords

Provided Authentication Handlers

• LDAP

– Fast bind

– Search and bind

• Active Directory

– LDAP

– Kerberos (JAAS)

• JAAS

• JDBC

• RADIUS

• SPNEGO

• Trusted

• X.509 certificates

• Writing a custom authentication handler is easy

What About Portals?

Need to go get interesting content from different systems.•E-mail

•Calendar

•E-Learning

•Student Information System

Portal

Password Replay

Password-Protected Service

Password-Protected Service

Password-Protected Service

Channel

Channel

Channel

PW

PW

PW

PW

PW

PW

PW

PW

PW

PW

PW

Look Ma, No Password!

• Without a password to replay, how am I going

to authenticate my portal to other

applications?

?

“Proxy” CAS

• Some Web applications “proxy”

authentication to backing services on behalf

of the user

• “Proxied” applications/services may

themselves proxy authentication to others

• CAS authenticates both the end user and the

proxy

CAS – More than Authentication

• Return attributes of logged on users

• Adding support for standards

– OpenID

– SAML

• Single Sign-Out

• RESTful API

• Support for clustering

• Services management

• Remember me (long-term SSO)

CAS Integration Libraries

• Java

• Spring Security

• PHP

• Apache Module

• ASP

• Python

• Ruby

• ...

• Drupal module

• uPortal

• Liferay

• Sakai

• TikiWiki

• ...

Unicon Services for CAS

• Implementation Planning

• Branding and User Experience

• Installation and Configuration

• Custom Development

• Consulting and Mentoring

• CASification of uPortal, Sakai, and other applications

• Upgrades

For more information, please visit

http://www.unicon.net/services/cas

Andrew Petro

apetro@unicon.net

www.unicon.net

Questions?

25

Shibboleth &Federated Identities

Shibboleth

Enterprise federated identity software

− Based on standards (principally SAML)

− Extensive architectural work to integrate with existing systems

− Designed for deployment by communities

Most widely used in education, government

Broadly adopted in Europe

2.0 release implements SAML 2

− Backward compatible with 1.3

Shibboleth Project

Free & Open Source

− Apache 2.0 license

Enterprise and Federation oriented

Started 2000 with first released code in 2003

Excellent community support

− http://shibboleth.internet2.edu

− shibboleth-announce@internet2.edu

Why Federated Identity?

Authoritative information

− Users, privileges, attributes

Improved security

− Fewer user accounts in the world

Privacy when needed

− Fine control over attribute sharing

Saves time & money

− Less work administrating users

What Is SAML?

Security Assertion Markup Language (SAML)

XML-based Open Standard

Exchange authentication and authorization data between

security domains

− Identity Provider (a producer of assertions)

− Service Provider (a consumer of assertions)

Approved by OASIS Security Services

− SAML 1.0 November 2002

− SAML 2.0 March 2005

Major SAML Applications

Proquest

Project MUSE

Thomson Gale

Elsevier ScienceDirect

Google Apps

ExLibris MetaLib

Sakai & Moodle

uPortal

DSpace, Fedora

Ovid

Microsoft DreamSpark

Moodle, Joomla, Drupal

JSTOR, ArtSTOR, OCLC

Blackboard & WebCT

WebAssign & TurnItIn

MediaWiki / Confluence

National Institutes of Health

National Digital Science

Library

How Federated Identity Works

A user tries to access a protected application

The user tells the application where it’s from

The user logs in at home

Home tells the application about the user

The user is rejected or accepted

32

Role of a Federation

Agreed upon Attribute Definitions

− Group, Role, Unique Identifier, Courses, …

Criteria for IdM & IdP practices

− user accounts, credentialing, personal information

stewardship, interoperability standards, technologies, ...

Digital Certificates

Trusted “notary” for all members

Not needed for Federated IdM,

but does make things even easier

InCommon Federation

Federation for U.S. Higher Education & Research

(and Partners)

Over Three Million Users

163 Organizations

Self-organizing & Heterogeneous

Policy Entrance bar intentionally set low

Doesn’t impose lots of rules and standards

http://www.incommonfederation.org/

John Lewis

jlewis@unicon.net

www.unicon.net

Questions?