CUWebAuth Specialized Presentation - PowerPoint PPT Presentation

cuwebauth technical presentation l.
Skip this Video
Loading SlideShow in 5 Seconds..
CUWebAuth Specialized Presentation PowerPoint Presentation
CUWebAuth Specialized Presentation

play fullscreen
1 / 19
Download Presentation
Views
Download Presentation

CUWebAuth Specialized Presentation

Presentation Transcript

  1. CUWebAuth Technical Presentation Pete Bosanko Identity Management Team

  2. Introduction • Apache and IIS Web servers • Authentication using Cornell NetID • Authorization

  3. Introduction (cont.) • Website Authentication • SideCar • WebAuth (CUWebLogin) • Proxy (uportal) • Website Authorization • Permit Server • NetID • Valid User

  4. Introduction (cont.) • Apache • solaris, aix, linux, mac/os, freebsd, windows, yellowdog • Apache module • Integrated configuration and logging • IIS • Windows 2000 & 2003 • ISAPI Filter • Integrated configuration

  5. Getting Started • Download CUWebAuth • http://identity.cit.cornell.edu • Read release notes & documentation • Request a srvtab and register your server • http://identity.cit.cornell.edu • Install CUWebAuth • Basic CUWebAuth configuration • Configure restricted pages

  6. CUWebAuth System

  7. CUWebAuth Access Stages • Authentication • Verify site cookie • Try SideCar • Possibly redirect to cuweblogin.cit.cornell.edu • Authorization • Check valid NetID • Possibly send message to Permit server to verify • Allow or deny access to restricted resource

  8. CUWebLogin • User goes to protected URL • CUWebAuth redirects to cuweblogin.cit.cornell.edu • User logs in • cuweblogin session cookie issued (cornell.edu, one time use) • cuweblogin redirects to original URL • CUWebAuth verifies cuweblogin cookie, destroys cookie • CUWebAuth session cookie issued • Web page access granted

  9. How CUWebLogin works CUWebLogin - Server Redir : Orig page :CUWebLogin cookie Ok,Netid CUWlVerify Submit Netid & Passwd CUWebLogin Page PendID Redir : CUWebLogin :PendID CUWlRequest Request Restricted resource Redir : CUWebLogin :PendID Redir : Orig page :CUWebLogin cookie Serve Requested page Web Server - CUWebAuth

  10. CUWebLogin Processes

  11. CUWebAuth After Login • User goes to protected URL • CUWebAuth decrypts and verifies CUWebAuth cookie • Web page access granted

  12. Single Sign-On • curelogin cookie (cuweblogin.cit.cornell.edu) • User logs in once, keeps browser open • Can move between sites without repeating log in

  13. Single Sign-On

  14. POST Data • CUWebAuth uses hidden fields • Click to Proceed page • POST data carried via hidden fields @ cuweblogin.cit.cornell.edu • Works best with SSL • IIS Performance

  15. CUWebAuth Major Issues • SideCar vulnerabilities • Helpdesk handles WebSite issues • Closing browser = logout • Stale ticket cache • Multiple address registrations for clusters • URL truncation issue • Need self-service for srvtab and CUWebAuth registration

  16. CUWebAuth Vulnerabilities • Site Cookie Replay (non-SSL) • Use of require valid-user • SideCar issues • Keeping up-to-date on CUWA releases • srvtab file needs to have access restricted • IIS – keep up on latest patches • Website security best practices

  17. Roadmap • Moving toward open-source (ongoing) • Interim Release 1.3.x?......Spring ‘06 • Support for Apache 2.2 • Bug Fixes • Kerberos 5 Release 1.4.....Summer ’06 • K5 Only • Addresses major issues • Grouper/Signet…………….Spring ‘07

  18. Help • Web: http://identity.cit.cornell.edu • Get a srvtab • Download CUWebAuth • Lookup CUSSP error codes • Manage Permits • E-mail: aadssupport@cornell.edu • Get help • Report a bug • Feature requests

  19. CUWebAuth Questions / Comments