Web Authentication at Iowa Ed Hill Software Developer The University of Iowa.

Web Authentication at Iowa

Ed Hill

Software Developer

The University of Iowa

Web authenticationWeb Camp - June 7th, 20042

Who Am I

• Ed Hill ([email protected])

• Software Developer at The University of Iowa• Manager of the WDS Group in AIS• Projects: ISIS, Admissions, Osiris, Budget,

Hawk IRB, Various Elections, etc…• Background: Java, Unix


Agenda

• Authentication 101• Hawk IDs• Active Directory• Security Policies• UI Login Tools (passport)

• What• Why• How

• Q&A and Feedback


Authentication 101

• Authentication – the mechanism that verifies that an individual is who they claim to be.• Typically done based on something known

(password)

• Authorization – the mechanism to determine whether or not to allow access to a particular resource or service


Hawk IDs

• A standard login ID used to access many different services around campus

• Before Hawk ID, My login was edhill, ehill, ed_hill, hille, 48006NNNN, etc…

• User friendly, readable, public


Hawk IDs - Gotchas

• Hawk IDs are not immutable• Hawk IDs are not unique over time• Hawk IDs are not 8 characters long, they are

30 characters long• Thought about your “special” accounts? What

if someone has a hawkid of “root”, “admin”, etc…

• Don’t use Hawk IDs as primary keys in your application (University ID is a better choice)


Active Directory (AD)

• Active Directory (AD) is a directory that supports Windows services and it the directory where the Hawk ID passwords are kept

• Before AD and Hawk ID – chaos/anarchy• Post Hawk ID, Before AD – one login id,

different passwords for each system• Post Hawk ID / AD – one login id, one

password


Active Directory (AD) - Gotchas

• Accessible via LDAP or Kerberos• Login failure messages don’t reveal much• Synchronization among DCs• Multiple GCs, DCs, realms, ohh my…

• Which domain “owns” a hawkid• The UPN

• IOWA\edhill vs edhill


Directories

• When someone says “The Directory”, they can mean one of the following

• Active Directory (AD) – Authentication, Windows services

• Enterprise Directory Service (EDS) – protected LDAP directory that contains business data about people

• White Page / Phonebook – LDAP directory that contains public/published information about people


Security Policies

• If you remember just one thing from this presentation…


Security Policies

• If you remember just one thing from this presentation…

• I had nothing to do with the password expiration policy


Security Policies

• Strong passwords are enforced (min 6 characters, 2 alpha, 2 numbers, no parts of your name/hawkid)

• Passwords should not be stored or sent via clear-text

• Passwords expire after 180 days, can’t reset to a previous password

• Proof of identity rules before administrator can reset a person’s password


UI Login Tools - What

• UI Login Tools (formerly called UI passport) provides an authentication service to web applications that sits on top of Active Directory and the UI security policies while insulating the web developer from the details

• Uses Web based protocols: browser redirects, HTTP requests

• Works with any web development technology: Java, PHP, ASP, Cold Fusion, Perl CGI, etc…


UI Login Tools - Features

• Provides a login page via SSL• Validates a user’s Hawk ID / password,

communicates any errors to the user• Tells your application the Hawk ID of the

person that just logged in• Possibly provides your application with EDS

information about the person• Possibly provides Single Sign On (SSO)

capabilities to your application


UI Login Tools - Features

• Provides an administrative password reset and other utility tools

• Can provide a custom login page with your own look and feel

• Provides a complete audit trail of logins, password changes, etc…


UI Login Tools - Applications

• ISIS, Prof Asst, HR Portal, Mars, Osiris, PCard, PReqs, Skillsoft, Infobank, etc…


UI Login Tools - Why

• 15 mid-large applications requiring logins• Inter-application trust (ISIS and HR portal)• No two departments use the same web

development technology• Microsoft passport – marketing baggage,

doesn’t scale down• Sun’s passport killer – Liberty something…• Yale’s Central Authentication Service (CAS)


UI Login Tools – How

• Key Concepts – 3 actors• The user/browser• Your web application• The login tools application

• Browser redirects• Authentication ticket• Cashing in the authentication ticket

• HTTP request from your app to the login tools


UI Login Tools – The Picture

• Prepare to be stunned by my incredible artistic skills



Login Tools

Your Site

AD

Bob



Login Tools

Your Site

AD

Bob Step 1: Bob comes to your site for the first time to start a session

1



Login Tools

Your Site

AD

Bob Step 2: You detect the person doesn’t havea session established and you redirect themto the login tools login page, passing alongyour service URL

2 1



Login Tools

Your Site

AD

Bob Step 3: The user’s browser takes the redirect request from your site and sendsthem to the login tools web server

3

2 1



Login Tools

Your Site

AD

Bob Step 4: The login page is returned to Bob’sbrowser (either the generic one, or your custom login page)

43

12



Login Tools

Your Site

AD

Bob Step 5: Bob type in his correct Hawk ID andHawk ID password in the fields on the loginpage and presses the Sign In button

43

12

5



Login Tools

Your Site

AD

Bob Step 6: Bob’s password is verified via AD, a redirect is sent back to Bob to the serviceurl provided along with a uip_ticket param

43

12

56uip_ticket



Login Tools

Your Site

AD

Bob Step 7: Bob’s browser takes the redirect and sends the uip_ticket back to your website to the service url you provided

43

12

56

uip_ticket 7



Login Tools

Your Site

AD

Bob Step 8: Your site takes the uip_ticket andconnects to the Login Tools to cash it in tofind out who the ticket belongs to

43

12

56

7

8



Login Tools

Your Site

AD

Bob Step 9: The login tools take the ticket youProvide and return you a simple text webPage that contains Bob’s Hawk ID

43

12

56

7

89

hawkid=bob



Login Tools

Your Site

AD

Bob Step 10: Your site creates a session for Boband sends back your home page along withany persistence cookies you need

43

12

56

7

89

10

Bob’s sessionBob’s sessi

on cookie



Your Site

Bob Step 10+N: Any further requests are justProcessed from your site, checking Bob’sSession information. No further interactionWith the login tools are needed

Bob’s session


UI Login Tools

• You can leave now and plug into the login tools without any involvement from me

• To create a custom login page, You will need to send me your service url and point me at a login page template


Next Steps

• Improve Create some documentation• Figure out SSO better (how best to handle and

communicate logouts)• Better service provider management tools –

make it so you can more easily update your own login pages, service URLs, etc…

• SAML interface, other XML standards.• Your suggestions?


Questions?

• http://login.uiowa.edu/• http://hawkid.uiowa.edu/• http://cio.uiowa.edu/policy/

• Email address: [email protected]

Web Authentication at Iowa Ed Hill Software Developer The University of Iowa.

Documents

Transcript of Web Authentication at Iowa Ed Hill Software Developer The University of Iowa.