CAS 2 Single Sign On 1,3, 2,3, 2, 2,3 1 2 3 May 31, 2007 ITRC p. 1/29
Plan of Talk Brief survey of Single Sign On using CAS Brief survey of Authorization Environment using CAS 2 Summary May 31, 2007 ITRC p. 2/29
. Example IP May 31, 2007 ITRC p. 3/29
> UserID Password DB Single Sign On DB May 31, 2007 ITRC p. 4/29
Brief survey of SSO using CAS CAS (Central Authentication Service) Web Application Single Sign On (SSO) Yale University, JA-SIG Open Source Cookie, http direction, JavaScript SSL (https) DB, DB DB Web Application CAS May 31, 2007 ITRC p. 5/29
Brief... using CAS > Usual Authentication Web Browser 1 Web Application Web Application DB Web Application DB Web Application 2 USER DB May 31, 2007 ITRC p. 6/29
Brief... using CAS > AuthN mechanisum of CAS USER DB Web Application Sending Ticket Data / Its Reply AuthN CAS Server AuthN Data Web Browser Web Application CAS client library Web Application DB May 31, 2007 ITRC p. 7/29
Brief... using CAS > Web Browser USER DB AuthN 1 Web Application Sending Ticket Data / Its Reply CAS Server Web Application AuthN Data 2 Web Browser USER DB App. SSL... CAS App. May 31, 2007 ITRC p. 8/29
Brief... using CAS > AuthN mechanisum of CAS Ticket Granting Cookie (TGC) Cookie Browser TGC Service Ticket (ST) URL Parameter App. One Time Ticket App. CAS Server ST = May 31, 2007 ITRC p. 9/29
Brief... using CAS > CAS ST, App. (current version fix ) CAS Server App. User ID POST method CAS 2 Authorization May 31, 2007 ITRC p. 10/29
Brief survey of Authorization Environment using CAS 2 CAS 2 (Central Authentication and Authorization Service) CAS ST App. DB CAS Server App. CAS Web Application CAS 2 module FOR WHICH (URL of Web Application) WHO (User) WHEN (Access Time) FROM WHERE (Client) May 31, 2007 ITRC p. 11/29
Brief... using CAS 2 > Access Control List CAS 2 CAS-ACL dn: cn=entry1,ou=gakumu,ou=cas,o=nagoyauniv cas-allow: (&(uid=naito)(date>=20051010) (date<=20051110)(ip=133.6.130.0/24)) cas-service: https://app.*\.mynu\.jp/.+ cas-attributes: uid,mail URL https://app.*\.mynu\.jp/.+ uid is naito Access time is between 2005/10/10 and 2005/11/10 Client IP: 133.6.130.0/24 May 31, 2007 ITRC p. 12/29
Brief... using CAS 2 > Access Control List CAS 2 CAS-ACL dn: cn=entry1,ou=gakumu,ou=cas,o=nagoyauniv cas-allow: (&(uid=naito)(date>=20051010) (date<=20051110)(ip=133.6.130.0/24)) cas-service: https://app.*\.mynu\.jp/.+ cas-attributes: uid,mail cas-attributes App.. App. May 31, 2007 ITRC p. 13/29
CAS 2 CAS 2 CAS 2 CAS 2,... May 31, 2007 ITRC p. 14/29
> CAS Server CAS Server access log 1000, 3000 Oracle, May 31, 2007 ITRC p. 15/29
> ID,..., CAS, DB LDAP... May 31, 2007 ITRC p. 16/29
> ID DB... CAS... CAS DB... CAS DB, DB App. CAS May 31, 2007 ITRC p. 17/29
> CAS-ACL,. CAS-ACL Role Management = Identity Management Role Management = May 31, 2007 ITRC p. 18/29
SSO PKI ( ), May 31, 2007 ITRC p. 19/29
> IC Card with PKI... IC Card BBS light PKI IC Card Reader, BBS SSO/AuthZ May 31, 2007 ITRC p. 20/29
> Example CAS 2 SSO requirement : requirement :, BBS requirement :,.... May 31, 2007 ITRC p. 21/29
> Example 3-tiered security hierarchy Level 2 Level 1 Username/Password authentication Level 0 Subscriber ID Level = Level 2 = Level 1 BBS = Level 0 May 31, 2007 ITRC p. 22/29
> Mutiple-tiered secuirty hierarchy hierarchy CAS 2 Level 2 User Level 2 Application Level 1 User Level 1 Application Level 0 User Level 0 Application May 31, 2007 ITRC p. 23/29
> CAS 2 secuirty hierarchy CAS-ACL security level CAS-ACL FOR WHICH (URL of Web Application) WHO (User) WHEN (Access Time) FROM WHERE (Client) HOW (Security Level) CAS 2 multiple-tiered AuthN sequence CAS 2 May 31, 2007 ITRC p. 24/29
... > CAS 2... > security level in CAS-ACL dn: cn=entry1,ou=gakumu,ou=cas,o=nagoyauniv cas-allow: (&(uid=naito)(date>=20051010) (date<=20051110)(ip=133.6.130.0/24)) cas-security-hierarchy: X509 cas-service: https://app.*\.mynu\.jp/.+ cas-attributes: uid,mail URL https://app.*\.mynu\.jp/.+ ACL X509 (Level 2) May 31, 2007 ITRC p. 25/29
Summary CAS 2 SSO/AuthZ. CAS 2 SSO/AuthZ.,. CAS-ACL. SSO/AuthZ,, May 31, 2007 ITRC p. 26/29
CAS 2 CAS 2 http://www.math.nagoya-u.ac.jp/~naito/cas-square/ May 31, 2007 ITRC p. 27/29
References,,,,, CAS, 47 (2006) 1127 1135. Naito, Kajita, Hirano, Mase, Multiple-tiered Security Hierarachy for Web Applications Using Central Authentication and Authorization Service, Proceeding of Middleware Workshop on IEEE International Symposium on Applications and the Internet (SAINTW 2007), Hiroshima, JAPAN (2007). May 31, 2007 ITRC p. 28/29
Q and A May 31, 2007 ITRC p. 29/29