docCAS and Shib More Perfect Together
download 
Report Transcription
CAS and Shib More Perfect Together
CAS and Shib More Perfect Together Bill Thompson CISSP, Director IAM, Unicon Dima Kopylenko, Software Architect, Unicon June 10-15, 2012 Growing Community; Growing Possibilities About Bill 395 days - Director, IAM Practice, Unicon ◦ IAM Practice, CAS/Shib/Grouper, CAS Steering Committee, CAS 3.5 Roadmap, CISSP 2.5 years - Senior Associate Director, Princeton University ◦ .NET CAS Client, Enterprise WebSSO Strategy 6 years - Associated Director - Rutgers University ◦ myRutgers (uPortal 2/3), Jasig CAS Project, uPortal Release Engineer, Jasig Board of Directors http://www.linkedin.com/in/wgthom 2012 Jasig Sakai Conference 2 About Dima 1 year - Software Architect, IAM Practice, Unicon ◦ CAS/Shib/Grouper, CAS Contributor, CAS-Shib AuthN, SWF Shib IdP 9 years - Software Architect, Rutgers University ◦ Java Web Application Architecture, Spring Committer, Jasig CAS, Inspektr http://www.github.com/dima767 2012 Jasig Sakai Conference 3 About Unicon Trusted Partner since 1993 Expertise in Open Source Software for Education Professional Services for uPortal, Sakai, CAS, Shib, Grouper, and soon Student Success Plan Innovative Cooperative Support Program 2012 Jasig Sakai Conference 4 Agenda Enterprise WebSSO CAS Shibboleth CAS and Shib more perfect together ◦ REMOTE_USER ◦ ExternalAuthn shib-cas-authenticator ◦ architecture ◦ demo CAS, Shib and ADFS...WAT? ShibCAS 2012 Jasig Sakai Conference 5 Enterprise WebSSO User experience and expectations Existing IAM architecture and infrastructure Enterprise Portal Closed source “COTS” enterprisey systems Peoplesoft, Banner,... 2012 Jasig Sakai Conference 6 Enterprise WebSSO Home-grown ASP, .NET, ColdFusion, Perl, Python, PHP, Ruby, Java, GWT, Zope,... CAS OOTB supported - Sakai, uPortal, TWiki, Altassian, WordPress, Zimbra,... The hard cases: OWA, IMAP,... Federation - InCommon 2012 Jasig Sakai Conference 7 CAS is great! Flexible user experience ◦ SSO Session logout ◦ Opt-in/out of SSO per application ◦ Flexible login/logout flow via SWF Supple, Extensible, Elegant ◦ Multi-protocol - CAS, SAML*, OAuth,... ◦ Spring configuration ◦ Easy to deploy, scale and operate Simple protocol with wide range of clients and ootb support Huge adoption across Higher Education 2012 Jasig Sakai Conference 8 Shib is great too! Robust SAML implementation InCommon Federation Growing list of “Cloud”-based SAML Service Providers Levels of Assurance Federal ICAM National Strategy for Trusted Identities in Cyberspace 2012 Jasig Sakai Conference 9 CAS and Shib Perfect Together... CASify the Shib server REMOTE_USER SAML features not Supported ◦ isPassive ◦ forceAuth 2012 Jasig Sakai Conference 10 CAS and Shib More Perfect Together... Shib ExternalAuth API cas_shib_authenicator isPassive == gateway forceAuth == renew 2012 Jasig Sakai Conference 11 Google Apps* Any SaaS Campus Web Applications Shib SP SP SAML SP InCommon Federation SP SP SP Campus Web Applications CAS Enterprise Web SSO Shibboleth Identity Provider Enterprise Portal External AuthN CAS Jasig CAS Enterprise Service OAuth OpenId Providers Web SSO Domain Attribute Resolution Attribute Resolver LDAP/AD WebSSO ClearPass Primary Authentication 2012 Jasig Sakai Conference 12 Shib SP SAML Web Applications Enterprise Web SSO Shibboleth Identity Provider SAML Shib External AuthN Attribute Resolution Attribute Resolver External AuthN Jasig CAS OAuth LDAP/AD WebSSO Primary Authentication ClearPass CAS CAS ST Validate with ClearPass CAS Shib/CAS SSO domains bridged User only interacts with CAS login flow CAS controls SSO Session Web CAS Client Applications CAS Client Enterprise Portal CAS ST Validate Email Preview Portlet username password IMAP Shib SSO turned off 2012 Jasig Sakai Conference 13 CAS Shib Demo Even more perfect together 2012 Jasig Sakai Conference 14 Request Sequence 2012 Jasig Sakai Conference 15 CASShib SAML -> CAS 2012 Jasig Sakai Conference 16 CASShib CASShib "Shibbolizes" the CAS server and enables end applications to get authentication information from CAS rather than the Shibboleth Service Provider. CAS Client -> CAS (SP) -> IdP and back again... /casshib/shib/myservice/login 2012 Jasig Sakai Conference 17 ADFS -> Shib -> CAS WAT? 2012 Jasig Sakai Conference 18 ADFS -> Shib -> CAS...WAT? 2012 Jasig Sakai Conference 19 ADFS -> Shib -> CAS -> OpenId... Tech Demo Wednesday at 5:45pm 2012 Jasig Sakai Conference 20 Resources CAS Shib Integration https://github.com/Unicon/shib-cas-authenticator https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration Other CAS Integrations https://github.com/Unicon/cas-blackboard-learn https://github.com/Unicon/cas-webadvisor https://github.com/Unicon/cas-owa-2010 https://github.com/Unicon/cas-chalk-wire-webapp 2012 Jasig Sakai Conference 21 Thanks! Bill Thompson CISSP, Director IAM, Unicon [email protected] Dima Kopylenko, Software Architect, Unicon [email protected] 2012 Jasig Sakai Conference 22