CUWebAuth Specialized Presentation.


68 views
Uploaded on:
Description
Site Authentication. SideCar. WebAuth (CUWebLogin) Proxy (uportal) ... Site security best practices. Guide. Moving toward open-source (continuous) Interim ...
Transcripts
Slide 1

CUWebAuth Technical Presentation Pete Bosanko Identity Management Team

Slide 2

Introduction Apache and IIS Web servers Authentication utilizing Cornell NetID Authorization

Slide 3

Introduction (cont.) Website Authentication SideCar WebAuth (CUWebLogin) Proxy (uportal) Website Authorization Permit Server NetID Valid User

Slide 4

Introduction (cont.) Apache solaris, aix, linux, macintosh/os, freebsd, windows, yellowdog Apache module Integrated design and logging IIS Windows 2000 & 2003 ISAPI Filter Integrated arrangement

Slide 5

Getting Started Download CUWebAuth http://identity.cit.cornell.edu Read discharge notes & documentation Request a srvtab and register your server http://identity.cit.cornell.edu Install CUWebAuth Basic CUWebAuth setup Configure limited pages

Slide 6

CUWebAuth System

Slide 7

CUWebAuth Access Stages Authentication Verify webpage treat Try SideCar Possibly divert to cuweblogin.cit.cornell.edu Authorization Check substantial NetID Possibly send message to Permit server to confirm Allow or deny access to confined asset

Slide 8

CUWebLogin User goes to ensured URL CUWebAuth sidetracks to cuweblogin.cit.cornell.edu User sign in cuweblogin session treat issued (cornell.edu, one time use) cuweblogin sidetracks to unique URL CUWebAuth confirms cuweblogin treat, crushes treat CUWebAuth session treat issued Web page access conceded

Slide 9

How CUWebLogin works CUWebLogin - Server Redir : Orig page :CUWebLogin treat Ok,Netid CUWlVerify Submit Netid & Passwd CUWebLogin Page PendID Redir : CUWebLogin :PendID CUWlRequest Request Restricted asset Redir : CUWebLogin :PendID Redir : Orig page :CUWebLogin treat Serve Requested page Web Server - CUWebAuth

Slide 10

CUWebLogin Processes

Slide 11

CUWebAuth After Login User goes to ensured URL CUWebAuth decodes and confirms CUWebAuth treat Web page access allowed

Slide 12

Single Sign-On curelogin treat (cuweblogin.cit.cornell.edu) User sign in once, keeps program open Can move between destinations without rehashing sign in

Slide 13

Single Sign-On

Slide 14

POST Data CUWebAuth utilizes concealed fields Click to Proceed page POST information conveyed through shrouded fields @ cuweblogin.cit.cornell.edu Works best with SSL IIS Performance

Slide 15

CUWebAuth Major Issues SideCar vulnerabilities Helpdesk handles WebSite issues Closing program = logout Stale ticket reserve Multiple location enlistments for bunches URL truncation issue Need self-administration for srvtab and CUWebAuth enrollment

Slide 16

CUWebAuth Vulnerabilities Site Cookie Replay (non-SSL) Use of require legitimate client SideCar issues Keeping progressive on CUWA discharges srvtab record needs get to confined IIS – keep up on most recent patches Website security best practices

Slide 17

Roadmap Moving toward open-source (continuous) Interim Release 1.3.x?......Spring \'06 Support for Apache 2.2 Bug Fixes Kerberos 5 Release 1.4.....Summer \'06 K5 Only Addresses real issues Grouper/Signet… … .Spring \'07

Slide 18

Help Web: http://identity.cit.cornell.edu Get a srvtab Download CUWebAuth Lookup CUSSP blunder codes Manage Permits E-mail: aadssupport@cornell.edu Get Report a bug Feature asks for

Slide 19

CUWebAuth Questions/Comments

Recommended
View more...