cuwebauth technical presentation n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
CUWebAuth Technical Presentation PowerPoint Presentation
Download Presentation
CUWebAuth Technical Presentation

Loading in 2 Seconds...

play fullscreen
1 / 19

CUWebAuth Technical Presentation - PowerPoint PPT Presentation


  • 116 Views
  • Uploaded on

CUWebAuth Technical Presentation. Pete Bosanko Identity Management Team. Introduction. Apache and IIS Web servers Authentication using Cornell NetID Authorization. Introduction (cont.). Website Authentication SideCar WebAuth (CUWebLogin) Proxy (uportal) Website Authorization

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'CUWebAuth Technical Presentation' - karif


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
cuwebauth technical presentation

CUWebAuth Technical Presentation

Pete Bosanko

Identity Management Team

introduction
Introduction
  • Apache and IIS Web servers
  • Authentication using Cornell NetID
  • Authorization
introduction cont
Introduction (cont.)
  • Website Authentication
    • SideCar
    • WebAuth (CUWebLogin)
    • Proxy (uportal)
  • Website Authorization
    • Permit Server
    • NetID
    • Valid User
introduction cont1
Introduction (cont.)
  • Apache
    • solaris, aix, linux, mac/os, freebsd, windows, yellowdog
    • Apache module
    • Integrated configuration and logging
  • IIS
    • Windows 2000 & 2003
    • ISAPI Filter
    • Integrated configuration
getting started
Getting Started
  • Download CUWebAuth
    • http://identity.cit.cornell.edu
  • Read release notes & documentation
  • Request a srvtab and register your server
    • http://identity.cit.cornell.edu
  • Install CUWebAuth
  • Basic CUWebAuth configuration
  • Configure restricted pages
cuwebauth access stages
CUWebAuth Access Stages
  • Authentication
    • Verify site cookie
    • Try SideCar
    • Possibly redirect to cuweblogin.cit.cornell.edu
  • Authorization
    • Check valid NetID
    • Possibly send message to Permit server to verify
  • Allow or deny access to restricted resource
cuweblogin
CUWebLogin
  • User goes to protected URL
  • CUWebAuth redirects to cuweblogin.cit.cornell.edu
  • User logs in
  • cuweblogin session cookie issued (cornell.edu, one time use)
  • cuweblogin redirects to original URL
  • CUWebAuth verifies cuweblogin cookie, destroys cookie
  • CUWebAuth session cookie issued
  • Web page access granted
slide9

How CUWebLogin works

CUWebLogin - Server

Redir : Orig page :CUWebLogin cookie

Ok,Netid

CUWlVerify

Submit Netid & Passwd

CUWebLogin Page

PendID

Redir : CUWebLogin :PendID

CUWlRequest

Request Restricted resource

Redir : CUWebLogin :PendID

Redir : Orig page :CUWebLogin cookie

Serve Requested page

Web Server - CUWebAuth

cuwebauth after login
CUWebAuth After Login
  • User goes to protected URL
  • CUWebAuth decrypts and verifies CUWebAuth cookie
  • Web page access granted
single sign on
Single Sign-On
  • curelogin cookie (cuweblogin.cit.cornell.edu)
  • User logs in once, keeps browser open
  • Can move between sites without repeating log in
post data
POST Data
  • CUWebAuth uses hidden fields
  • Click to Proceed page
  • POST data carried via hidden fields @ cuweblogin.cit.cornell.edu
  • Works best with SSL
  • IIS Performance
cuwebauth major issues
CUWebAuth Major Issues
  • SideCar vulnerabilities
  • Helpdesk handles WebSite issues
  • Closing browser = logout
  • Stale ticket cache
  • Multiple address registrations for clusters
  • URL truncation issue
  • Need self-service for srvtab and CUWebAuth registration
cuwebauth vulnerabilities
CUWebAuth Vulnerabilities
  • Site Cookie Replay (non-SSL)
  • Use of require valid-user
  • SideCar issues
  • Keeping up-to-date on CUWA releases
  • srvtab file needs to have access restricted
  • IIS – keep up on latest patches
  • Website security best practices
roadmap
Roadmap
  • Moving toward open-source (ongoing)
  • Interim Release 1.3.x?......Spring ‘06
    • Support for Apache 2.2
    • Bug Fixes
  • Kerberos 5 Release 1.4.....Summer ’06
    • K5 Only
    • Addresses major issues
  • Grouper/Signet…………….Spring ‘07
slide18
Help
  • Web: http://identity.cit.cornell.edu
    • Get a srvtab
    • Download CUWebAuth
    • Lookup CUSSP error codes
    • Manage Permits
  • E-mail: aadssupport@cornell.edu
    • Get help
    • Report a bug
    • Feature requests
cuwebauth
CUWebAuth

Questions / Comments