1 / 19

CUWebAuth Technical Presentation

CUWebAuth Technical Presentation Pete Bosanko Identity Management Team Introduction Apache and IIS Web servers Authentication using Cornell NetID Authorization Introduction (cont.) Website Authentication SideCar WebAuth (CUWebLogin) Proxy (uportal) Website Authorization Permit Server

Angelica
Download Presentation

CUWebAuth Technical Presentation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CUWebAuth Technical Presentation Pete Bosanko Identity Management Team

  2. Introduction • Apache and IIS Web servers • Authentication using Cornell NetID • Authorization

  3. Introduction (cont.) • Website Authentication • SideCar • WebAuth (CUWebLogin) • Proxy (uportal) • Website Authorization • Permit Server • NetID • Valid User

  4. Introduction (cont.) • Apache • solaris, aix, linux, mac/os, freebsd, windows, yellowdog • Apache module • Integrated configuration and logging • IIS • Windows 2000 & 2003 • ISAPI Filter • Integrated configuration

  5. Getting Started • Download CUWebAuth • http://identity.cit.cornell.edu • Read release notes & documentation • Request a srvtab and register your server • http://identity.cit.cornell.edu • Install CUWebAuth • Basic CUWebAuth configuration • Configure restricted pages

  6. CUWebAuth System

  7. CUWebAuth Access Stages • Authentication • Verify site cookie • Try SideCar • Possibly redirect to cuweblogin.cit.cornell.edu • Authorization • Check valid NetID • Possibly send message to Permit server to verify • Allow or deny access to restricted resource

  8. CUWebLogin • User goes to protected URL • CUWebAuth redirects to cuweblogin.cit.cornell.edu • User logs in • cuweblogin session cookie issued (cornell.edu, one time use) • cuweblogin redirects to original URL • CUWebAuth verifies cuweblogin cookie, destroys cookie • CUWebAuth session cookie issued • Web page access granted

  9. How CUWebLogin works CUWebLogin - Server Redir : Orig page :CUWebLogin cookie Ok,Netid CUWlVerify Submit Netid & Passwd CUWebLogin Page PendID Redir : CUWebLogin :PendID CUWlRequest Request Restricted resource Redir : CUWebLogin :PendID Redir : Orig page :CUWebLogin cookie Serve Requested page Web Server - CUWebAuth

  10. CUWebLogin Processes

  11. CUWebAuth After Login • User goes to protected URL • CUWebAuth decrypts and verifies CUWebAuth cookie • Web page access granted

  12. Single Sign-On • curelogin cookie (cuweblogin.cit.cornell.edu) • User logs in once, keeps browser open • Can move between sites without repeating log in

  13. Single Sign-On

  14. POST Data • CUWebAuth uses hidden fields • Click to Proceed page • POST data carried via hidden fields @ cuweblogin.cit.cornell.edu • Works best with SSL • IIS Performance

  15. CUWebAuth Major Issues • SideCar vulnerabilities • Helpdesk handles WebSite issues • Closing browser = logout • Stale ticket cache • Multiple address registrations for clusters • URL truncation issue • Need self-service for srvtab and CUWebAuth registration

  16. CUWebAuth Vulnerabilities • Site Cookie Replay (non-SSL) • Use of require valid-user • SideCar issues • Keeping up-to-date on CUWA releases • srvtab file needs to have access restricted • IIS – keep up on latest patches • Website security best practices

  17. Roadmap • Moving toward open-source (ongoing) • Interim Release 1.3.x?......Spring ‘06 • Support for Apache 2.2 • Bug Fixes • Kerberos 5 Release 1.4.....Summer ’06 • K5 Only • Addresses major issues • Grouper/Signet…………….Spring ‘07

  18. Help • Web: http://identity.cit.cornell.edu • Get a srvtab • Download CUWebAuth • Lookup CUSSP error codes • Manage Permits • E-mail: aadssupport@cornell.edu • Get help • Report a bug • Feature requests

  19. CUWebAuth Questions / Comments

More Related