"CAS を利用した Single Sign On 環境の構築"

CAS Single Sign On (Hisashi NAITO) naito@math.nagoya-u.ac.jp Graduate School of Mathematics, Nagoya University naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 1/40

Plan of Talk CAS CAS 2 CAS Single Sign On CAS CAS CAS 2 CAS naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 2/40

CAS & CAS2 CAS Yale Open Source software Web Application Authentication JA-SIG Official Project Authorization (CAS 2 ) Web Application Single Sign On Web Application Kerberos Authentication naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 3/40

CAS 2 ID LDAP CAS 2 Web Application Web CT Single Sign On naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 4/40

CAS CAS2 Web Application Server (including CAS client) CAS Server (over Tomcat) Directory Server (example LDAP Server) Web Browser (Client, User) Ticket Granting Cookie (TGC) Kerberos ticket granting ticket Service Ticket (ST) Web Application One Time Ticket naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 5/40

CAS CAS2 Login TGC CAS Server TGC&ST ST ST One Time Ticket ST TGC TGC Authentication, ST Authorization ST Varidation Application TGC Timeout Session Timeout TGC Logout naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 6/40

CAS2 Authorization (CAS-ACL) Web Application (target URL) (User Information) (Access Time) (Client Information) CAS-ACL Web Application, User Infomation CAS-ACL URL Access Control Class (CAS-ACC) ST CAS-ACC naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 7/40

CAS-ACC Example dn: cn=gakumu-kykr,ou=gakumu,ou=cas,o=nagoyauniv cas-allow: (&(uid=naito)(date>=20051010) (date<=20051110)(ip=133.6.130.0/24)) cas-service: https://app.*\.mynu\.jp/kyoin/kykr.+ cas-attributes: uid,mailaddress,idno,fullname,dn, CAS-ACC URL: https://app.*\.mynu\.jp/kyoin/kykr.+ (uid) naito 2005/10/10 2005/11/10 133.6.130.0/24, Web Application, User uid,mailaddress,idno,fullname,dn naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 8/40

CAS client module Java Servlet private void doget( HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { //************* initial setting *************// //*********** Perform CAS Client ************// CasClient cas = new CasClient() ; cas.setserviceurl(cas_service_url) ; if (!cas.casperform(request, response)) return ; Map r = cas.getresult() ; String xmlresponse = cas.getresponse() ; //*********** End of Perform CAS Client ****// if (r!= null) request.setattribute("userid", r.get("uid")) ; app.getrequestdispatcher(loginform).forward(request, response) ; return ; } naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 9/40

CAS (1: Login) (Browser) CAS 2 Application Browser CAS 2 TGC SSL Browser CAS Server Web Application CAS Server naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 10/40

CAS (1: Login (1)) LDAP Server Web Application CAS Server 1 Web Browser 1. Access to https://afqdn/a.html naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 11/40

CAS (1: Login (2)) LDAP Server Web Application CAS Server 1 2 2 Login Window Web Browser 2. Redirect to https://cas/login&service=https://afqdn/a.html naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 12/40

CAS (1: Login (3)) LDAP Server Web Application Service Authorization CAS Server Authentication 3 Login Window Web Browser 3. Input UserID & Password with service https://afqdn/a.html naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 13/40

CAS (1: Login (4)) LDAP Server Web Application AA Results CAS Server 3 4 Web Browser TGC ST 4. Send Ticket Granting Cookie to Browser naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 14/40

CAS (1: Login (5)) ST Web Application LDAP Server AA results CAS Server 5 5 Web Browser TGC 5. Redirect to https://afqdn/a.html&ticket=st-xxx naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 15/40

CAS (1: Login (6)) LDAP Server Web Application 6 Authorization CAS Server ST 5 5 Web Browser TGC 6. Verify Service Ticket naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 16/40

CAS (1: Login (7)) LDAP Server Web Application 6 AA Authorization Result 7 CAS Server Web Browser TGC 7. Receive verify result form CAS server naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 17/40

CAS (1: Login (8)) LDAP Server Web Application 7 CAS Server 8 Web Browser TGC 8. Receive Data from Application Server naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 18/40

CAS ( ) Login JavaScript/HTTP redirection visible Login Window naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 19/40

CAS (2: Verify Ticket) Login (Browser TGC ) TGC count down timer ST Authorization ST CAS-ACC Login redirection Authorization ST ST Timeout or ST Valid Login redirection Authorization ST Login redirection = TGC + Authorization naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 20/40

CAS (2: Verify Ticket (0)) LDAP Server Web Application CAS Server Web Browser TGC ST naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 21/40

CAS (2: Verify Ticket (1)) ST Web Application LDAP Server CAS Server 1 Web Browser TGC 1. Access to https://afqdn/a.html&ticket=st-xxxxx naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 22/40

CAS (2: Verify Ticket (2)) LDAP Server Web Application Service Authorization 2 CAS Server ST 1 Web Browser TGC 2. Verify ticket=st-xxxxx with service=https://afqdn/a.html naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 23/40

CAS (2: Verify Ticket (3)) LDAP Server Web Application 2 Authorization Authorization results 3 CAS Server Web Browser TGC 3. Get authorization results and user infomation naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 24/40

CAS (2: Verify Ticket (4)) LDAP Server Web Application 3 CAS Server 4 Web Browser TGC 4. Reply from Web Application naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 25/40

Verify Ticket Verify Ticket CAS client CAS client (Original CAS) Ticket Validation ID CAS client (CAS 2 ) Ticket Validation CAS-ACL Web Application CAS client module naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 26/40

CAS (3: Access to another Application) Ticket Granting Ticket, Access Control Class URL Service Ticket Service Ticket Timeout Ticket Granting Cookie Service Ticket naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 27/40

CAS (3: Access to another Application (0)) LDAP Server Web Application CAS Server Web Browser TGC no ST, ST is expired or ST is belonged to different ACCESS CLASS naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 28/40

CAS (3: Access to another Application (1)) LDAP Server Web Application CAS Server 1 Web Browser TGC 1. Access to https://afqdn/a.html naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 29/40

CAS (3: Access to another Application (2)) LDAP Server Web Application CAS Server 1 2 Web Browser TGC 4. Redirect to https://cas/login&service=https://afqdn/a.html naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 30/40

CAS (3: Access to another Application (3)) ST Web Application LDAP Server Service Authorization Authorization results CAS Server 3 2 1 3 Web Browser TGC 5. Redirect to https://afqdn/a.html&ticket=st-xxx naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 31/40

CAS (3: Access to another Application (4)) LDAP Server Web Application 4 Authorization CAS Server ST 3 3 Web Browser TGC 6. Verify Service Ticket naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 32/40

CAS (3: Access to another Application (5)) LDAP Server Web Application 4 Authorization Authorization Result 5 CAS Server Web Browser TGC 7. Receive verify result form CAS server naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 33/40

CAS (3: Access to another Application (6)) LDAP Server Web Application 5 CAS Server 6 Web Browser TGC 8. Receive Data from Application Server naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 34/40

CAS2 CAS-ACL CAS-ACL subtree Alart Login CAS-ACC ST (nextticket) Mail Address User ID Post naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 35/40

CAS Single Sign On Web Application CAS client module Web Application Web Application SSL 4000 / Sun Fire V480 (1.0GHz UltraSPAC III Cu x 2) 4.0GB Memory Solaris 8 naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 36/40

Web Application Federated CAS CAS Version 3 Open Source CAS-Client CAS-ACL Application naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 37/40

URL http://www.math.nagoya-u.ac.jp/~naito/cas/ CAS 2 http://www.math.nagoya-u.ac.jp/~naito/cas/javadoc/ JavaDoc for CAS 2 Java class library -,, Vol. 1446, 14 39, (2005) - - - -,, Vol. 47-4 ( ) naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 38/40

CAS 2 http://tomcat.math.nagoya-u.ac.jp/casfreetest/ (Java Servlet) http://tomcat.math.nagoya-u.ac.jp/casfreetest_jsp/ (JSP) http://www.math.nagoya-u.ac.jp/ naito/casfreetest/ (Perl SSI) Web Application Single Sign On. cas0, cas1,..., cas9 Perl SSI cas9 Perl SSI cas9 naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 39/40

Mail Address. (cas0@math.nagoya-u.ac.jp. ), ID,,. Source Code, CAS-ACL http://www.math.nagoya-u.ac.jp/ naito/casfreetest/source/ naito@math.nagoya-u.ac.jp, Oct. 19, 2005 Tohoku Univ. p. 40/40