SlideShare una empresa de Scribd logo

Identity Management Overview: CAS and Shibboleth

Andrew Petro
Andrew Petro

This document provides an overview of the CAS (Central Authentication Service) and Shibboleth identity management systems. It describes CAS as an open source single sign-on system that allows web applications to avoid storing user passwords by redirecting authentication to a central service. Shibboleth is described as enterprise federated identity software based on SAML standards that allows secure sharing of user attributes between identity providers and service providers across security domains. The document also summarizes Unicon's consulting services for implementing and customizing CAS and Shibboleth identity solutions.

Tecnología
1 de 35
Descargar para leer sin conexión
Identity Management Overview CAS and Shibboleth Andrew Petro, Unicon John Lewis, Unicon Adam Dolby, VASCO 15 December 2009 Copyright Unicon, Inc., 2009. Some Rights Reserved. This work is licensed under a Creative Commons Attribution NonCommercial Share Alike 3.0 United States License. http://creativecommons.org/licenses/by-nc-sa/3.0/us/ Some content drawn from prior presentations at Jasig conferences.
About Unicon IT Consulting Services for Education, Specializing in Open Source IT Consulting Services • Technology Delivery and Support • Systems Integration • Software Engineering Open Source Technology Solutions • Enterprise Portal • Identity Management • Learning Management • Email and Collaboration For more information about Unicon, please visit: http://www.unicon.net Contact us at: 480-558-2400 or info@unicon.net
Jasig CAS in 15 Minutes Andrew Petro Unicon, Inc. See also http://www.unicon.net/blog/3/ten_minute_cas_intro
What is CAS? open source single sign on for the Web
Multi-Sign-On for the Web
At Least with One Username/Password?
All Applications Touch Passwords
Any Compromise Leaks Primary Credentials
Adversary Then Can Run Wild
The Solution • What if there were only one login form in your organization, only one application trusted to touch primary credentials?
Delete Your Login Forms
Webapps No Longer Touch Passwords
Adversary Compromises Only Single Apps
Webapps No Longer Touch Passwords
Provided Authentication Handlers • LDAP • RADIUS – Fast bind • SPNEGO – Search and bind • Trusted • Active Directory • X.509 certificates – LDAP • Writing a custom – Kerberos (JAAS) authentication handler is easy • JAAS • JDBC
What About Portals? Need to go get interesting content from different systems. •E-mail •Calendar •E-Learning •Student Information System
Password Replay Password- PW Protected Service PW PW PW Channel PW Password- PW PW Protected Channel Service PW PW PW Password- Portal Channel Protected Service PW
Look Ma, No Password! • Without a password to replay, how am I going ? to authenticate my portal to other applications?
“Proxy” CAS • Some Web applications “proxy” authentication to backing services on behalf of the user • “Proxied” applications/services may themselves proxy authentication to others • CAS authenticates both the end user and the proxy
CAS – More than Authentication • Return attributes of logged on users • Adding support for standards – OpenID – SAML • Single Sign-Out • RESTful API • Support for clustering • Services management • Remember me (long-term SSO)
CAS Integration Libraries • Java • Drupal module • Spring Security • uPortal • PHP • Liferay • Apache Module • Sakai • ASP • TikiWiki • Python • ... • Ruby • ...
Unicon Services for CAS • Implementation Planning • Branding and User Experience • Installation and Configuration • Custom Development • Consulting and Mentoring • CASification of uPortal, Sakai, and other applications • Upgrades For more information, please visit http://www.unicon.net/services/cas
Questions? Andrew Petro apetro@unicon.net www.unicon.net
Shibboleth & Federated Identities 25
Shibboleth  Enterprise federated identity software − Based on standards (principally SAML) − Extensive architectural work to integrate with existing systems − Designed for deployment by communities  Most widely used in education, government  Broadly adopted in Europe  2.0 release implements SAML 2 − Backward compatible with 1.3
Shibboleth Project  Free & Open Source − Apache 2.0 license  Enterprise and Federation oriented  Started 2000 with first released code in 2003  Excellent community support − http://shibboleth.internet2.edu − shibboleth-announce@internet2.edu
Why Federated Identity?  Authoritative information − Users, privileges, attributes  Improved security − Fewer user accounts in the world  Privacy when needed − Fine control over attribute sharing  Saves time & money − Less work administrating users
What Is SAML?  Security Assertion Markup Language (SAML)  XML-based Open Standard  Exchange authentication and authorization data between security domains − Identity Provider (a producer of assertions) − Service Provider (a consumer of assertions)  Approved by OASIS Security Services − SAML 1.0 November 2002 − SAML 2.0 March 2005
Major SAML Applications  Proquest  Microsoft DreamSpark  Project MUSE  Moodle, Joomla, Drupal  Thomson Gale  JSTOR, ArtSTOR, OCLC  Elsevier ScienceDirect  Blackboard & WebCT  Google Apps  WebAssign & TurnItIn  ExLibris MetaLib  MediaWiki / Confluence  Sakai & Moodle  uPortal  National Institutes of Health  DSpace, Fedora  National Digital Science Library  Ovid
How Federated Identity Works  A user tries to access a protected application  The user tells the application where it’s from  The user logs in at home  Home tells the application about the user  The user is rejected or accepted
32
Role of a Federation  Agreed upon Attribute Definitions − Group, Role, Unique Identifier, Courses, …  Criteria for IdM & IdP practices − user accounts, credentialing, personal information stewardship, interoperability standards, technologies, ...  Digital Certificates  Trusted “notary” for all members  Not needed for Federated IdM, but does make things even easier
InCommon Federation  Federation for U.S. Higher Education & Research (and Partners)  Over Three Million Users  163 Organizations  Self-organizing & Heterogeneous  Policy Entrance bar intentionally set low  Doesn’t impose lots of rules and standards  http://www.incommonfederation.org/
Questions? John Lewis jlewis@unicon.net www.unicon.net

Recomendados

Authentication and Single Sing on
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing onguest648519
 
Jasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesJasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesAndrew Petro
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)Artur Barseghyan
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onCraig Dickson
 
CAS Enhancement
CAS EnhancementCAS Enhancement
CAS EnhancementGuo Albert
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-Onelliando dias
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementManish Harsh
 
SINGLE SIGN-ON
SINGLE SIGN-ONSINGLE SIGN-ON
SINGLE SIGN-ONShambhavi Sahay
 

Recomendados

Authentication and Single Sing on
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing onguest648519
 
Jasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesJasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesAndrew Petro
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)Artur Barseghyan
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onCraig Dickson
 
CAS Enhancement
CAS EnhancementCAS Enhancement
CAS EnhancementGuo Albert
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-Onelliando dias
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementManish Harsh
 
SINGLE SIGN-ON
SINGLE SIGN-ONSINGLE SIGN-ON
SINGLE SIGN-ONShambhavi Sahay
 
Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Đỗ Duy Trung
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLJ V
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLinkJBUG London
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloudNagraj Rao
 
SAML and Liferay
SAML and LiferaySAML and Liferay
SAML and LiferayMika Koivisto
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101Mike Schwartz
 
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010 SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010 Michael Noel
 
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010Michael Noel
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetShivanand Arur
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With PicketlinkAnil Saldanha
 
Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On ConsiderationsVenkat Gattamaneni
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingMasoud Kalali
 
SSO introduction
SSO introductionSSO introduction
SSO introductionAidy Tificate
 
Real World Identity Managment
Real World Identity ManagmentReal World Identity Managment
Real World Identity ManagmentJohn Lewis
 
Portal as UI of SOA
Portal as UI of SOAPortal as UI of SOA
Portal as UI of SOAAndrew Petro
 

Más contenido relacionado

La actualidad más candente

Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Đỗ Duy Trung
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLJ V
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLinkJBUG London
 
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010 SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010 Michael Noel
 
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010Michael Noel
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetShivanand Arur
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With PicketlinkAnil Saldanha
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingMasoud Kalali
 

La actualidad más candente (20)

Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSO
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLink
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloud
 
SAML and Liferay
SAML and LiferaySAML and Liferay
SAML and Liferay
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
 
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010 SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
 
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With Picketlink
 
Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On Considerations
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
 
SSO introduction
SSO introductionSSO introduction
SSO introduction
 

Similar a Identity Management Overview: CAS and Shibboleth

Real World Identity Managment
Real World Identity ManagmentReal World Identity Managment
Real World Identity ManagmentJohn Lewis
 
Portal as UI of SOA
Portal as UI of SOAPortal as UI of SOA
Portal as UI of SOAAndrew Petro
 
Shibboleth Guided Tour Webinar
Shibboleth Guided Tour WebinarShibboleth Guided Tour Webinar
Shibboleth Guided Tour WebinarJohn Lewis
 
Eunis federation2
Eunis federation2Eunis federation2
Eunis federation2HEAnet
 
TechFuse 2012: Cloud and Mobile Computing
TechFuse 2012: Cloud and Mobile ComputingTechFuse 2012: Cloud and Mobile Computing
TechFuse 2012: Cloud and Mobile ComputingAvtex
 
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and ShibbolethCANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and ShibbolethChris Phillips
 
WSO2Con US 2013 - The Integration Game Changer: WSO2 Integration Cloud
WSO2Con US 2013 - The Integration Game Changer: WSO2 Integration CloudWSO2Con US 2013 - The Integration Game Changer: WSO2 Integration Cloud
WSO2Con US 2013 - The Integration Game Changer: WSO2 Integration CloudWSO2
 
WSO2Con 2013 - The Integration Game Changer: WSO2 Integration Cloud
WSO2Con 2013 - The Integration Game Changer: WSO2 Integration CloudWSO2Con 2013 - The Integration Game Changer: WSO2 Integration Cloud
WSO2Con 2013 - The Integration Game Changer: WSO2 Integration CloudAfkham Azeez
 
Acquia Business Mandate Deck Final
Acquia Business Mandate Deck FinalAcquia Business Mandate Deck Final
Acquia Business Mandate Deck FinalAcquia
 
Building and packaging highly scalable services for maximum market penetratio...
Building and packaging highly scalable services for maximum market penetratio...Building and packaging highly scalable services for maximum market penetratio...
Building and packaging highly scalable services for maximum market penetratio...Ontico
 
Trusting External Identity Providers for Global Research Collaborations
Trusting External Identity Providers for Global Research CollaborationsTrusting External Identity Providers for Global Research Collaborations
Trusting External Identity Providers for Global Research Collaborationsjbasney
 
Enterprise Content Sharing Bots & AI
Enterprise Content Sharing Bots & AIEnterprise Content Sharing Bots & AI
Enterprise Content Sharing Bots & AISam Fernando
 
VanyaSehgal_Resume
VanyaSehgal_ResumeVanyaSehgal_Resume
VanyaSehgal_ResumeVANYA SEHGAL
 
Challenges In Building Enterprise Mashups - Rick B
Challenges In Building Enterprise Mashups - Rick BChallenges In Building Enterprise Mashups - Rick B
Challenges In Building Enterprise Mashups - Rick BRoopa Nadkarni
 
5 challenges in_building_enterprise_mashups-rick_b
5 challenges in_building_enterprise_mashups-rick_b5 challenges in_building_enterprise_mashups-rick_b
5 challenges in_building_enterprise_mashups-rick_bIBM
 
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interestCANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interestChris Phillips
 
Web 2.0 in the Enterprise
Web 2.0 in the EnterpriseWeb 2.0 in the Enterprise
Web 2.0 in the EnterpriseUfuk Kılıç
 
Alex Wade, Digital Library Interoperability
Alex Wade, Digital Library InteroperabilityAlex Wade, Digital Library Interoperability
Alex Wade, Digital Library Interoperabilityparker01
 
Learning Forum London 2010 - Summary for CAPLA 2010
Learning Forum London 2010 - Summary for CAPLA 2010Learning Forum London 2010 - Summary for CAPLA 2010
Learning Forum London 2010 - Summary for CAPLA 2010Don Presant
 
University of Glasgow Eduserv Event Sharepoint
University of Glasgow Eduserv Event SharepointUniversity of Glasgow Eduserv Event Sharepoint
University of Glasgow Eduserv Event SharepointDiane Montgomery
 

Similar a Identity Management Overview: CAS and Shibboleth (20)

Real World Identity Managment
Real World Identity ManagmentReal World Identity Managment
Real World Identity Managment
 
Portal as UI of SOA
Portal as UI of SOAPortal as UI of SOA
Portal as UI of SOA
 
Shibboleth Guided Tour Webinar
Shibboleth Guided Tour WebinarShibboleth Guided Tour Webinar
Shibboleth Guided Tour Webinar
 
Eunis federation2
Eunis federation2Eunis federation2
Eunis federation2
 
TechFuse 2012: Cloud and Mobile Computing
TechFuse 2012: Cloud and Mobile ComputingTechFuse 2012: Cloud and Mobile Computing
TechFuse 2012: Cloud and Mobile Computing
 
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and ShibbolethCANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
 
WSO2Con US 2013 - The Integration Game Changer: WSO2 Integration Cloud
WSO2Con US 2013 - The Integration Game Changer: WSO2 Integration CloudWSO2Con US 2013 - The Integration Game Changer: WSO2 Integration Cloud
WSO2Con US 2013 - The Integration Game Changer: WSO2 Integration Cloud
 
WSO2Con 2013 - The Integration Game Changer: WSO2 Integration Cloud
WSO2Con 2013 - The Integration Game Changer: WSO2 Integration CloudWSO2Con 2013 - The Integration Game Changer: WSO2 Integration Cloud
WSO2Con 2013 - The Integration Game Changer: WSO2 Integration Cloud
 
Acquia Business Mandate Deck Final
Acquia Business Mandate Deck FinalAcquia Business Mandate Deck Final
Acquia Business Mandate Deck Final
 
Building and packaging highly scalable services for maximum market penetratio...
Building and packaging highly scalable services for maximum market penetratio...Building and packaging highly scalable services for maximum market penetratio...
Building and packaging highly scalable services for maximum market penetratio...
 
Trusting External Identity Providers for Global Research Collaborations
Trusting External Identity Providers for Global Research CollaborationsTrusting External Identity Providers for Global Research Collaborations
Trusting External Identity Providers for Global Research Collaborations
 
Enterprise Content Sharing Bots & AI
Enterprise Content Sharing Bots & AIEnterprise Content Sharing Bots & AI
Enterprise Content Sharing Bots & AI
 
VanyaSehgal_Resume
VanyaSehgal_ResumeVanyaSehgal_Resume
VanyaSehgal_Resume
 
Challenges In Building Enterprise Mashups - Rick B
Challenges In Building Enterprise Mashups - Rick BChallenges In Building Enterprise Mashups - Rick B
Challenges In Building Enterprise Mashups - Rick B
 
5 challenges in_building_enterprise_mashups-rick_b
5 challenges in_building_enterprise_mashups-rick_b5 challenges in_building_enterprise_mashups-rick_b
5 challenges in_building_enterprise_mashups-rick_b
 
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interestCANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
 
Web 2.0 in the Enterprise
Web 2.0 in the EnterpriseWeb 2.0 in the Enterprise
Web 2.0 in the Enterprise
 
Alex Wade, Digital Library Interoperability
Alex Wade, Digital Library InteroperabilityAlex Wade, Digital Library Interoperability
Alex Wade, Digital Library Interoperability
 
Learning Forum London 2010 - Summary for CAPLA 2010
Learning Forum London 2010 - Summary for CAPLA 2010Learning Forum London 2010 - Summary for CAPLA 2010
Learning Forum London 2010 - Summary for CAPLA 2010
 
University of Glasgow Eduserv Event Sharepoint
University of Glasgow Eduserv Event SharepointUniversity of Glasgow Eduserv Event Sharepoint
University of Glasgow Eduserv Event Sharepoint
 

Último

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 

Último (20)

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

Identity Management Overview: CAS and Shibboleth

  • 1. Identity Management Overview CAS and Shibboleth Andrew Petro, Unicon John Lewis, Unicon Adam Dolby, VASCO 15 December 2009 Copyright Unicon, Inc., 2009. Some Rights Reserved. This work is licensed under a Creative Commons Attribution NonCommercial Share Alike 3.0 United States License. http://creativecommons.org/licenses/by-nc-sa/3.0/us/ Some content drawn from prior presentations at Jasig conferences.
  • 2. About Unicon IT Consulting Services for Education, Specializing in Open Source IT Consulting Services • Technology Delivery and Support • Systems Integration • Software Engineering Open Source Technology Solutions • Enterprise Portal • Identity Management • Learning Management • Email and Collaboration For more information about Unicon, please visit: http://www.unicon.net Contact us at: 480-558-2400 or info@unicon.net
  • 3. Jasig CAS in 15 Minutes Andrew Petro Unicon, Inc. See also http://www.unicon.net/blog/3/ten_minute_cas_intro
  • 4. What is CAS? open source single sign on for the Web
  • 6. At Least with One Username/Password?
  • 8. Any Compromise Leaks Primary Credentials
  • 10. The Solution • What if there were only one login form in your organization, only one application trusted to touch primary credentials?
  • 12. Webapps No Longer Touch Passwords
  • 14.
  • 15. Webapps No Longer Touch Passwords
  • 16. Provided Authentication Handlers • LDAP • RADIUS – Fast bind • SPNEGO – Search and bind • Trusted • Active Directory • X.509 certificates – LDAP • Writing a custom – Kerberos (JAAS) authentication handler is easy • JAAS • JDBC
  • 17. What About Portals? Need to go get interesting content from different systems. •E-mail •Calendar •E-Learning •Student Information System
  • 18. Password Replay Password- PW Protected Service PW PW PW Channel PW Password- PW PW Protected Channel Service PW PW PW Password- Portal Channel Protected Service PW
  • 19. Look Ma, No Password! • Without a password to replay, how am I going ? to authenticate my portal to other applications?
  • 20. “Proxy” CAS • Some Web applications “proxy” authentication to backing services on behalf of the user • “Proxied” applications/services may themselves proxy authentication to others • CAS authenticates both the end user and the proxy
  • 21. CAS – More than Authentication • Return attributes of logged on users • Adding support for standards – OpenID – SAML • Single Sign-Out • RESTful API • Support for clustering • Services management • Remember me (long-term SSO)
  • 22. CAS Integration Libraries • Java • Drupal module • Spring Security • uPortal • PHP • Liferay • Apache Module • Sakai • ASP • TikiWiki • Python • ... • Ruby • ...
  • 23. Unicon Services for CAS • Implementation Planning • Branding and User Experience • Installation and Configuration • Custom Development • Consulting and Mentoring • CASification of uPortal, Sakai, and other applications • Upgrades For more information, please visit http://www.unicon.net/services/cas
  • 24. Questions? Andrew Petro apetro@unicon.net www.unicon.net
  • 26. Shibboleth  Enterprise federated identity software − Based on standards (principally SAML) − Extensive architectural work to integrate with existing systems − Designed for deployment by communities  Most widely used in education, government  Broadly adopted in Europe  2.0 release implements SAML 2 − Backward compatible with 1.3
  • 27. Shibboleth Project  Free & Open Source − Apache 2.0 license  Enterprise and Federation oriented  Started 2000 with first released code in 2003  Excellent community support − http://shibboleth.internet2.edu − shibboleth-announce@internet2.edu
  • 28. Why Federated Identity?  Authoritative information − Users, privileges, attributes  Improved security − Fewer user accounts in the world  Privacy when needed − Fine control over attribute sharing  Saves time & money − Less work administrating users
  • 29. What Is SAML?  Security Assertion Markup Language (SAML)  XML-based Open Standard  Exchange authentication and authorization data between security domains − Identity Provider (a producer of assertions) − Service Provider (a consumer of assertions)  Approved by OASIS Security Services − SAML 1.0 November 2002 − SAML 2.0 March 2005
  • 30. Major SAML Applications  Proquest  Microsoft DreamSpark  Project MUSE  Moodle, Joomla, Drupal  Thomson Gale  JSTOR, ArtSTOR, OCLC  Elsevier ScienceDirect  Blackboard & WebCT  Google Apps  WebAssign & TurnItIn  ExLibris MetaLib  MediaWiki / Confluence  Sakai & Moodle  uPortal  National Institutes of Health  DSpace, Fedora  National Digital Science Library  Ovid
  • 31. How Federated Identity Works  A user tries to access a protected application  The user tells the application where it’s from  The user logs in at home  Home tells the application about the user  The user is rejected or accepted
  • 32. 32
  • 33. Role of a Federation  Agreed upon Attribute Definitions − Group, Role, Unique Identifier, Courses, …  Criteria for IdM & IdP practices − user accounts, credentialing, personal information stewardship, interoperability standards, technologies, ...  Digital Certificates  Trusted “notary” for all members  Not needed for Federated IdM, but does make things even easier
  • 34. InCommon Federation  Federation for U.S. Higher Education & Research (and Partners)  Over Three Million Users  163 Organizations  Self-organizing & Heterogeneous  Policy Entrance bar intentionally set low  Doesn’t impose lots of rules and standards  http://www.incommonfederation.org/
  • 35. Questions? John Lewis jlewis@unicon.net www.unicon.net