CAS 2 SSO Authorization 1,3, 2,3, 2, 2,3 1 2 3 Central Authentication and Authorization Service (CAS 2 ) Web Application Single Sign On Authorization CAS 2 SSO/AuthZ Jan. 30 2007, p. 1/40
Plan of Talk Brief survey of Single Sign On using CAS Brief survey of Authorization Environment using CAS 2 Summary Jan. 30 2007, p. 2/40
>. Example IP Jan. 30 2007, p. 3/40
> > UserID Password DB Single Sign On DB Jan. 30 2007, p. 4/40
>... CAS...... Jan. 30 2007, p. 5/40
> CAS SSO CAS CAS Jan. 30 2007, p. 6/40
Brief survey of SSO using CAS CAS (Central Authentication Service) Web Application Single Sign On (SSO) Yale University, JA-SIG Open Source Cookie, http direction, JavaScript SSL (https) DB, DB DB Web Application CAS Jan. 30 2007, p. 7/40
Brief... using CAS > Usual Authentication Web Browser 1 Web Application Web Application DB Web Application DB Web Application 2 USER DB Jan. 30 2007, p. 8/40
Brief... using CAS > AuthN mechanisum of CAS USER DB Web Application Sending Ticket Data / Its Reply AuthN CAS Server AuthN Data Web Browser Web Application CAS client library Web Application DB Jan. 30 2007, p. 9/40
Brief... using CAS > Web Browser USER DB AuthN 1 Web Application Sending Ticket Data / Its Reply CAS Server Web Application AuthN Data 2 Web Browser USER DB App. SSL... CAS App. Jan. 30 2007, p. 10/40
Brief... using CAS > AuthN mechanisum of CAS Ticket Granting Cookie (TGC) Cookie Browser TGC Service Ticket (ST) URL Parameter App. One Time Ticket App. CAS Server ST = Jan. 30 2007, p. 11/40
Brief... using CAS > AuthN mechanisum of CAS TGC App. CAS Server Login Window WEB Browser 1. Access 2a. Redirection 2b. Login Window WEB Application https://app.foo/ CAS Server User DB CAS Server TGC App. ST ST WEB Application WEB Browser 4. Redirection with TGC/ST TGC CAS Server 3a. Input User ID/Password 3b. Authentication 3c. Result User DB Jan. 30 2007, p. 12/40
Brief... using CAS > AuthN mechanisum of CAS App. ST CAS Server ST WEB Browser 6. Response WEB Application 5a. Send ST ST 5b. Validation Result CAS Server User DB Jan. 30 2007, p. 13/40
Brief... using CAS > AuthN mechanisum of CAS TGC App. CAS Server redirection WEB Browser TGC 1. Access WEB Application 2a. Redirection https://app.foo/ TGC CAS Server User DB TGC App. ST WEB Browser TGC ST 4. Redirection with ST WEB Application CAS Server User DB TGC Login Window Jan. 30 2007, p. 14/40
Brief... using CAS > CAS ST, App. (current version fix ) CAS Server App. User ID POST method CAS 2 Authorization Jan. 30 2007, p. 15/40
Brief survey of Authorization Environment using CAS 2 CAS 2 (Central Authentication and Authorization Service) CAS ST App. DB CAS Server App. CAS Web Application CAS 2 module FOR WHICH (URL of Web Application) WHO (User) WHEN (Access Time) FROM WHERE (Client) Jan. 30 2007, p. 16/40
Brief... using CAS 2 > Access Control List CAS 2 CAS-ACL dn: cn=entry1,ou=gakumu,ou=cas,o=nagoyauniv cas-allow: (&(uid=naito)(date>=20051010) (date<=20051110)(ip=133.6.130.0/24)) cas-service: https://app.*\.mynu\.jp/.+ cas-attributes: uid,mail URL https://app.*\.mynu\.jp/.+ uid is naito Access time is between 2005/10/10 and 2005/11/10 Client IP: 133.6.130.0/24 Jan. 30 2007, p. 17/40
Brief... using CAS 2 > Access Control List CAS 2 CAS-ACL dn: cn=entry1,ou=gakumu,ou=cas,o=nagoyauniv cas-allow: (&(uid=naito)(date>=20051010) (date<=20051110)(ip=133.6.130.0/24)) cas-service: https://app.*\.mynu\.jp/.+ cas-attributes: uid,mail cas-attributes App.. App. Jan. 30 2007, p. 18/40
Brief... using CAS 2 > AuthZ mechanisum of CAS App. App. URL redirection App. URL CAS-ACL ST WEB Browser TGC ST 2. Redirection with ST WEB Application CAS Server 1a. Authorization 1b. Result CAS-ACL Access Denied Jan. 30 2007, p. 19/40
Brief... using CAS 2 > AuthZ mechanisum of CAS App. ST CAS Server App. URL ST CAS-ACL ST Man-in-Middle Attack ST App. WEB Browser TGC 6. Response WEB Application 3. Send ST ST 5. Validation CAS Server 4a. Authorization 4b. Result CAS-ACL Jan. 30 2007, p. 20/40
Brief... using CAS 2 > AuthZ mechanisum of CAS, ST Access Denied redirection WEB Browser TGC 1. Access Invalid ST WEB Application 5. Redirection 2. Send ST Invalid ST 4. Invalid CAS Server 3a. Authorization 3b. Result CAS-ACL Jan. 30 2007, p. 21/40
CAS 2 CAS 2 CAS 2 CAS 2,... Jan. 30 2007, p. 22/40
> CAS Server CAS Server access log 1000, 3000 Oracle, Jan. 30 2007, p. 23/40
> ID,..., CAS, DB LDAP... Jan. 30 2007, p. 24/40
> ID DB... CAS... CAS DB... CAS DB, DB App. CAS Jan. 30 2007, p. 25/40
> CAS-ACL,. CAS-ACL Role Management = Identity Management Role Management = Jan. 30 2007, p. 26/40
SSO PKI ( ), Jan. 30 2007, p. 27/40
> IC Card with PKI... IC Card BBS light PKI IC Card Reader, BBS SSO/AuthZ Jan. 30 2007, p. 28/40
> Example CAS 2 SSO requirement : requirement :, BBS requirement :,.... Jan. 30 2007, p. 29/40
> Example 3-tiered security hierarchy Level 2 Level 1 Username/Password authentication Level 0 Subscriber ID Level = Level 2 = Level 1 BBS = Level 0 Jan. 30 2007, p. 30/40
> Mutiple-tiered secuirty hierarchy hierarchy CAS 2 Level 2 User Level 2 Application Level 1 User Level 1 Application Level 0 User Level 0 Application Jan. 30 2007, p. 31/40
> CAS 2 secuirty hierarchy CAS-ACL security level CAS-ACL FOR WHICH (URL of Web Application) WHO (User) WHEN (Access Time) FROM WHERE (Client) HOW (Security Level) CAS 2 multiple-tiered AuthN sequence CAS 2 Jan. 30 2007, p. 32/40
... > CAS 2... > security level in CAS-ACL dn: cn=entry1,ou=gakumu,ou=cas,o=nagoyauniv cas-allow: (&(uid=naito)(date>=20051010) (date<=20051110)(ip=133.6.130.0/24)) cas-security-hierarchy: X509 cas-service: https://app.*\.mynu\.jp/.+ cas-attributes: uid,mail URL https://app.*\.mynu\.jp/.+ ACL X509 (Level 2) Jan. 30 2007, p. 33/40
... > CAS 2... > Modify AuthN mechanism in CAS 2 fall down sequence TGC DB... CAS (version 3) SpringFramework Multiple-tiered AuthN sequence Dependancy Injection Multiple-tiered AuthN sequence Jan. 30 2007, p. 34/40
... > CAS 2... > Modify AuthN mechanism in CAS 2 Example 3-tiered hierarchy... bean bean class="x509credentialstoprincipalhandler" property name="loginlevel" value="x509" bean class="bindldapauthenticationhandler" property name="loginlevel" value="pin_uid" bean class="subscriberidldapauthenticationhandler" property name="loginlevel" value="subscriberid" Login Level bean <list> <value>subscriberid</value> <value>pin_uid</value> <value>x509</value> </list> Jan. 30 2007, p. 35/40
... > CAS 2... > Modify AuthZ mechanism in CAS 2 Case 1 : Level 2 Authentication Level 2 TGC Level 2 App. Web Browser TGC with Level 2 ST 2. Redirection 1. Access with client certificate Web Application with Security Level 2 CAS Server Jan. 30 2007, p. 36/40
... > CAS 2... > Modify AuthZ mechanism in CAS 2 Case 2 : Level 1 Level 2 App. ST Web App. CAS Server redirect, Level 2 App. Level 2 TGC Web Browser TGC with Level 1 1. Access 2. Redirection to obtain client certification Web Application with Security Level 2 CAS Server Jan. 30 2007, p. 37/40
Summary CAS 2 SSO/AuthZ. CAS 2 SSO/AuthZ.,. CAS-ACL. SSO/AuthZ,, CAS 2 Beta Version Jan. 30 2007, p. 38/40
References,,,,, CAS, 47 (2006) 1127 1135. Naito, Kajita, Hirano, Mase, Multiple-tiered Security Hierarachy for Web Applications Using Central Authentication and Authorization Service, Proceeding of Middleware Workshop on IEEE International Symposium on Applications and the Internet (SAINT 2007), Hiroshima, JAPAN (2007). Jan. 30 2007, p. 39/40
Q and A Jan. 30 2007, p. 40/40