Minimally Invasive Enterprise IdM

Andrew PetroSoftware Developer

Unicon, Inc.

Fall 2010 Internet2 Membership meetingAtlanta, GA

03 November 2010

© Copyright Unicon, Inc., 2010. Some rights reserved. This work is licensed under aCreative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/

2

Agenda

1. Introduction

2. Case Study: WRI

3. Dissection

4. Going Beyond

5. Unicon

3

Introduction

4

Introduction

● Andrew Petro; Software Developer; Unicon, Inc.

5

My employer: Unicon

● Liferay Partner● Jasig Partner / CAS Solutions Provider● InCommon Affiliate

6

Summary

● Using existing LDAP and CAS support to● Shibbolize and enable federated

authentication into a vendor application● With minimal change to the vendor

application

7

Case Study: Workforce Retraining

Initiative

http://portal.workforceretrainingus.com

8

What's interesting about this?

● Single sign on● Delegated authentication without credential

replay● Multiple sources of identities, while retaining

Liferay's self-service account creation capabilities

● Minimally invasive, minimal changes required to Liferay

9

The (very) basic idea

● Liferay portal● Moodle learning management system● Jasig CAS single sign on between these

Jasig CAS: Single Sign On

Liferay: portal

Moodle: learning

management system

10

Liferay as Unauthenticated Website

LoginViaCAS

11

Liferay user creation

OpenLDAP

12

Login via CAS

OpenLDAP

13

Liferay as Authenticated Portal

14

Moodle as LMS

15

The basic idea

● Create accounts (via Liferay) and store in OpenLDAP

● Authenticate users via CAS (against LDAP)● Moodle and Liferay query LDAP for attributes

CAS

Liferay MoodleOpenLDAP

16

Surface Moodle data in Liferay

17

Surface Moodle data in Liferay

18

Most of the idea

● Create accounts (via LR) and store in LDAP● Authenticate users via CAS (against LDAP)● Moodle and Liferay query LDAP for attributes● Users delegate ability to access Moodle to

Liferay via CAS

CAS

Liferay MoodleOpenLDAP

19

Federated Authentication

20

Federated Authentication

21

Liferay as Authenticated Portal

22

Concepts

23

Single Sign-On

● Login once, authenticate to multiple applications

24

Liferay CAS support

25

Jasig CAS

● Open source● Web single sign on

26

Delete your login forms.

27

Apps do not touch passwords

CAS

28

Passwords are problematic

● My password is “johan”

● Your password will vary– Depending on the

name of your dog

29

Apps do not touch passwords

CAS

30

Applications rely on enterprise SSO

Liferay Moodle WebexSupport

Request Tracker

31

Liferay user creation

OpenLDAP

32

Surface Moodle data in Liferay

33

Delegated Authentication

● System B authenticates to System C on behalf of Person A

● That is, A delegates authentication to B for the purpose of authenticating to C

System B System C

Person A

34

Delegation example

Liferay

Email Preview Portlet

IMAP Server

35

Credential Replay

● Special (blunt) case of delegated authentication

● System B can authenticate on behalf of Person A because B borrows the credentials (password!) of A

Liferay

Email Portlet

IMAP ServerPassword

Portal

Password Replay

Password-Protected Service

Password-Protected Service

Password-Protected Service

Portlet

Portlet

Portlet

PW

PW

PW

PW

PW

PW

PW

PW

PW

PW

PW

37

Authenticating Services to Services

● Credential replay?● Service credentials and trust relationships?● Topological restrictions?

● Sure, but what about the “on behalf of a user” part?

38

CAS proxy tickets

Liferay

MyCoursesPortlet

Moodle

CAS “proxy ticket” - not end user password

XML representing course data

CAS client library

39

Delegated SAML Assertions

Liferay

MyCoursesPortlet

Moodle

Delegated SAML Assertion - not end user password

XML representing course data

ShibSPe.g.

40

Federated Authentication

41

Federated Authentication

● Like Single Sign-On● With multiple providers of identity (“Identity

Providers” == IdPs)

42

Shibboleth

● Open source● Federated Web

single sign on● SAML● Just-in-time release

of attributes

43

Liferay

● Supports multiple means of authentication– Including CAS

● Supports syncing in user attributes and user groupings from LDAP

● Does not particularly support SAML or Shibboleth

44

Liferay CAS support

45

CASShib

● Open source CAS extensions

● Allowing CAS to bridge to Shibboleth

● Applications consume CAS abstraction

● CASShib implements Shibboleth to allow federation

Moodle Liferay

CAS

Shib SP

OpenLDAP(WRI

accounts)

Shib IdP

Netacad Credential

Store

46

Minimally Invasive Advanced IdM

FederationCASShib

LDAP

Liferay

Account Creation

User Attributes

Authentication

Via CAS abstraction SAML

47

Minimally invasive Advanced IdM● Configure Liferay to

use CAS (CASShib)● Configure CASShib

to bridge to Shib● JIT provision

OpenLDAP from CASShib (customized login Web flow)

● Configure LR to consume attributes from LDAP

● Ta da! Liferay is effectively Shibbolized, without having to modify Liferay to particularly support SAML for authentication or as a source of user attributes

48

Minimally Invasive Advanced IdM

FederationCASShib

LDAP

Liferay

Account Creation

User Attributes

Authentication

Via CAS abstraction SAML

49

What's interesting about this?

● Single sign on● Delegated authentication without credential

replay● Multiple sources of identities, while retaining

Liferay's self-service account creation capabilities

● Minimally invasive, minimal changes required to Liferay

50

Going Beyond

51

ClearPass

● Free and Open Source Software● Extending CAS to...

– capture the end user's password at login

– And selectively release this password to authorized applications

● Like, say, an enterprise portal

Portal

Password Replay Alongside PTs

Password-Protected Service

Password-Protected Service

CAS-Protected Service

Portlet

Portlet

Portlet

PWFrom ClearPassAnd PGT from CAS

PW

PW

PW

PT

PW

PW

PT

PW

PW

PT

PGT

53

Liferay 5 extensions

● http://github.com/wgthom/Cas3Liferay5● Use Jasig Java CAS Client library● Obtain PT● Use PT to obtain Password from ClearPass● Place password into session where Liferay

expects it● Portlets use it as normal

54

Summary

● Using existing LDAP and CAS support to● Shibbolize and enable federated

authentication into a vendor application● With minimal change to the vendor

application

55

Questions & Answers

Andrew PetroSoftware DeveloperUnicon, Inc.

apetro@unicon.netwww.unicon.net/blog/apetro