Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CAS Federation

DavidOhsie
June 06, 2013
0
490

CAS Federation

Federation Across Multiple CAS Domains for Browsers and REST Clients

DavidOhsie

June 06, 2013
Tweet

More Decks by DavidOhsie

See All by DavidOhsie
RESTful CAS
davidohsie
1
1.5k

Featured

See All Featured
StorybookのUI Testing Handbookを読んだ
zakiyama
13
4.6k
Robots, Beer and Maslow
schacon
PRO
155
7.9k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
221
21k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
Bootstrapping a Software Product
garrettdimon
PRO
302
110k
Atom: Resistance is Futile
akmur
259
25k
Build The Right Thing And Hit Your Dates
maggiecrowley
24
2k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
6
1.5k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.6k
Designing Experiences People Love
moore
136
23k
How STYLIGHT went responsive
nonsquared
92
4.8k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
14
1.6k

Transcript

  1. 1 © Copyright 2013 EMC Corporation. All rights reserved. Federated

    CAS Federation Across Multiple CAS Domains for Browsers and REST Clients David Ohsie, EMC Corporation ([email protected]) John Field, Pivotal ([email protected]) Vijaya Bharadwaj, Pivotal ([email protected])

  2. 2 © Copyright 2013 EMC Corporation. All rights reserved. Background

     EMC is a Apereo Commercial Affiliate  EMC ships CAS embedded in software (and later) some hardware platforms in order to integrate software into a coherent whole  The three authors (David, John, Vijaya) work on CAS adoption across EMC products  I (David) participate on the CAS user list and the CAS appsec working group

  3. 3 © Copyright 2013 EMC Corporation. All rights reserved. Use

    Cases  Hierarchical/User Visible Federation – One or more independent CAS instances – User selects which one they want (some similarity in concept to openid, SAML federation)  Federating CAS instances across Datacenters (Peer-Peer Federation) – You have two sets of applications in different datacenters, but want to SSO between them – Could also be used for HA – See “High Availability in Hurricane Alley - Multi- site Multi-node CAS Deep in the Heart of Texas” Srinivas Varadaraj, Bill Thompson (use google)

  4. 4 © Copyright 2013 EMC Corporation. All rights reserved. Non

    use-case  Nothing in this talk deals with identity federation or attribute federation – You probably want to be using Shibboleth also.

  5. 5 © Copyright 2013 EMC Corporation. All rights reserved. Client-Visible

    (Hierarchical) Federation Element Manager w/CAS Element Manager w/CAS Portal App w/CAS Client 1 2. Link and Launch Element Manager 1. AccessPortal Client 2 3. Directly Access CAS Enterprise AD/LAP

  6. 6 © Copyright 2013 EMC Corporation. All rights reserved. Solution

    Element #1: CASified CAS Client Portal Cluster Portal Portal CAS Element Manager Cluster EM CAS mod_auth _cas Element Manager Assume SSO session is already established with Portal CAS 1. Element Manager 302 to EM CAS 2. Request ST 302 to Portal CAS 3. Request ST From Portal CAS 4.Request ST with Ticket; 302 to EM 5.Request To EM With ST From EM CAS mac

  7. 7 © Copyright 2013 EMC Corporation. All rights reserved. Solution

    Element #2: CAS Whitelist  Client can request which CAS server he would like to use – https://em.emc.com/?casHome=LOCAL – https://em.emc.com/?casHome=PORTAL  mod_auth_cas client has whitelist – CASWhitelist LOCAL https://emCas/cas/login https://emCAS/cas/samlValidate – CASWhitelist PORTAL https://portal/cas/login https://portal/cas/samlValidate

  8. 8 © Copyright 2013 EMC Corporation. All rights reserved. CAS

    whitelist continued  In “default” mode, the cas client will extract and copy the casHome parameter: – GET https://em.emc.com/?casHome=PORTAL – 302 Location: https://emcas.emc.com/login?service=https%3A %2F%2Fem.emc.com%2F&casHome=PORTAL  In “federation” mode, casHome tells the CAS client where to forward to and where to validate the ticket.  The underlying CAS is configured to accept remoteUser, but produce a login screen if the remoteUser is not populated.

  9. 9 © Copyright 2013 EMC Corporation. All rights reserved. Access

    via LOCAL cas server Client Portal Cluster Portal Portal CAS Element Manager Cluster EM CAS mod_auth _cas 1. Element Manager 302 to EM CAS casHome= LOCAL 2. Request ST casHome=LOCAL 3.Request To EM With ST From EM CAS Element Manager mac

  10. 10 © Copyright 2013 EMC Corporation. All rights reserved. Client

    CAS Server Protected Service X-EMC-CAS-V2: TRUE POST https://app.com/ 401 WWW-Authenticate: X-EMC-CAS-V2 realm=”EMC CAS” Location: https://cas.com/cas/login?service=https://app.com&casAction=login GET https://cas.com/cas/login?service=https://app.com&casAction=login 302 Location: https://app.com/?ticket=ST-12345-10.1.1.8&casAction=login GET https://app.com/?ticket=ST-12345-10.1.1.8&casAction=login 204 Set-Cookie: MOD_AUTH_CAS_S=sldkf0fj498 CAS REST V2 Interaction 401 WWW-Authenticate: Basic realm="CAS" GET https://cas.com/cas/login?service=https://app.com&casAction=login Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Now that the user is Authenticated the POST can be repeated

  11. 11 © Copyright 2013 EMC Corporation. All rights reserved. Where

    are we so far  CAS client can be configured with list of trusted CAS servers  Client can determine which CAS server to access with casHome query parameter  How do we deal with the “peer-to-peer” case where the client doesn’t care

  12. 12 © Copyright 2013 EMC Corporation. All rights reserved. Peer-Peer

    CAS Federation Datacenter 1 Datacenter 2 App 1 App 2 App 3 App 4 CAS 1 CAS 2 Client 1. Access App 2 2. Authenticate at CAS 1 3. Access App 3 Reuse SSO Session!!!

  13. 13 © Copyright 2013 EMC Corporation. All rights reserved. Lamar

    University Approach (mistake mine) Datacenter 1 Datacenter 2 App 1 App 2 App 3 App 4 CAS 1 CAS 2 Client LB 1. Get ST-123-CAS1 3. https://cas/serviceValidate? ticket=ST-123-CAS1 2. https://app3/ticket=ST-123-CAS1

  14. 14 © Copyright 2013 EMC Corporation. All rights reserved. Constraints

     Make no assumptions about the deployment of load balancers  Non-Constraint: no updates to CAS clients  Thus, we need to take an “opposite” approach.

  15. 15 © Copyright 2013 EMC Corporation. All rights reserved. Solution

    Element #3: CAS_DEFHOME Domain Cookies  When a user is successfully logs into a CAS server, there server sets the CAS_DEFHOME cookie as a “domain” cookie (e.g. emc.com) – Domain cookies leak information, but the information here seems relatively benign  When mod_auth_cas sees CAS_DEFHOME, it forwards to that CAS server (if on the whitelist) with gateway=true

  16. 16 © Copyright 2013 EMC Corporation. All rights reserved. Peer-Peer

    CAS Federation Datacenter 1 Datacenter 2 App 1 App 2 App 3 App 4 CAS 1 CAS 2 Client 1. Access App 2 2. Authenticate at CAS 1 Set-Cookie: CAS_DEFHOME=CAS1 3. Access App 4 4. CAS2 forwards to CAS1 with gateway=TRUE

  17. 17 © Copyright 2013 EMC Corporation. All rights reserved. Open

    Issues  HA across datacenters – Set-Cookie: CAS_RETRIES=1 – Maybe you should be using an intelligent load balancer   Stickiness of the CAS_HOME query parameter

  18. 18 © Copyright 2013 EMC Corporation. All rights reserved. CAS

    Service Whitelist  If a CAS client is accessible via multiple host names, then a CAS service whitelist can be used.  The HOST header is matched against the whitelist; if there is a match it is used, otherwise the default is used

  19. 19 © Copyright 2013 EMC Corporation. All rights reserved. Summary

     Use Cassified CAS to enable CAS login/validation to be directed elsewhere  Use casHome query parameter to pick cas location off of a whitelist  Use CAS_DEFHOME domain cookie to enable selection of CAS server when any one is good enough
  20. None