1 / 19

CUWebAuth and CUWebLogin 2.0

CUWebAuth and CUWebLogin 2.0. Identity Management Team Campus Developers Meeting June 4, 2008. K5 Migration Project. CUWA 2.0 Alpha. CUWA 2.0 Beta. K5 Permit Server. CUWA 2.0 Production Release. You Are Here. Campus Rollout Complete. K4 Shutdown?. 2008. 2009. Dec. Jan. Feb. Mar.

tariq
Download Presentation

CUWebAuth and CUWebLogin 2.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CUWebAuth and CUWebLogin 2.0 Identity Management Team Campus Developers Meeting June 4, 2008

  2. K5 Migration Project CUWA 2.0 Alpha CUWA 2.0 Beta K5 Permit Server CUWA 2.0 Production Release You Are Here Campus Rollout Complete K4 Shutdown? 2008 2009 Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Testing Discretionary migration window Buffer

  3. https://confluence.cornell.edu/display/CUWAL/Cornell%27s+CUWebLogin+Pageshttps://confluence.cornell.edu/display/CUWAL/Cornell%27s+CUWebLogin+Pages

  4. https://confluence.cornell.edu/display/CUWAL/CUWebAuth+2.0 Documentation

  5. What's New in 2.0 • Kerberos 5 only • Open-source • GSSAPI • Better Security • Better Performance • Simplified Administration • Flexible Authorization Model • New POST Data Handling • Better Support

  6. Changes for Kerberos 5 • Keytabs not Srvtabs • ServiceID Self-Service Application • Create your own keytabs • Create your own ServiceID • Delegate authority • No More SideCar • No More Legacy CUSSP Library

  7. Open System • Documented Standards-based API's • Full Source Code Available • Localize • Porting • Customization

  8. Custom Tools • Credential Creation & Parsing • PermitG / Grouper lookup

  9. GSSAPI • IETF - RFC 2743 • C Bindings • Java Bindings • Wide OS Acceptance

  10. Better Security • CUWebLogin - Kerberos Proxy • No Credential Minting • Better MITM Attack Prevention

  11. Performance • CUWebLogin 1.0 • 20 logins/sec per server • Single Server • CUWebLogin 2.0 • 200+ logins/sec per server • Load Balanced • 4 Servers

  12. WebAuth Administration • Fewer Directives • 26 Directives Obsolete • 5-6 New Ones • Better Logging • Fine Grained • .htaccess • VirtualHost Security Domain

  13. Flexible Authorization (Active Content) • New Directives, more than remote-user… • Allow anonymous access • List group permissions • Pass cuwa-groups to application • How long ago did user login? • Inspect cuwa-auth-time • Pass cuwa-delegated-cred to application

  14. POST Data • No More “Click to Continue” • POST Data Handled By WebAuth • Request Data Stays at Website • Can Handle Larger POSTs • Same Support Apache / IIS

  15. Better Support • Apache and IIS – One Code Base • 64-bit clean • Thread safe • No Name Collisions • Shared Library Compatibility (Unix) • Problem with Binary? Rebuilt It! • Short List of Binaries • RedHat, Solaris, Windows • Apache 2.0, 2.2, IIS 6 • Wiki Documentation

  16. Release Schedule • Apache Go-Live: Now • IIS Go-Live: one month-ish

  17. Q&A Pete Bosanko pb10@cornell.edu Tom Parker jtp5@cornell.edu idmgmt@cornell.edu

More Related