This document provides an overview of the CAS (Central Authentication Service) and Shibboleth identity management systems. It describes CAS as an open source single sign-on system that allows web applications to avoid storing user passwords by redirecting authentication to a central service. Shibboleth is described as enterprise federated identity software based on SAML standards that allows secure sharing of user attributes between identity providers and service providers across security domains. The document also summarizes Unicon's consulting services for implementing and customizing CAS and Shibboleth identity solutions.
Presentation on how to chat with PDF using ChatGPT code interpreter
Identity Management Overview: CAS and Shibboleth
1. Identity Management Overview
CAS and Shibboleth
Andrew Petro, Unicon
John Lewis, Unicon
Adam Dolby, VASCO
15 December 2009
Copyright Unicon, Inc., 2009. Some Rights Reserved.
This work is licensed under a Creative Commons Attribution NonCommercial Share Alike
3.0 United States License.
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
Some content drawn from prior presentations at Jasig conferences.
2. About Unicon
IT Consulting Services for Education, Specializing in Open Source
IT Consulting Services
• Technology Delivery and Support
• Systems Integration
• Software Engineering
Open Source Technology Solutions
• Enterprise Portal
• Identity Management
• Learning Management
• Email and Collaboration
For more information about Unicon, please visit: http://www.unicon.net
Contact us at: 480-558-2400 or info@unicon.net
3. Jasig CAS in 15 Minutes
Andrew Petro
Unicon, Inc.
See also
http://www.unicon.net/blog/3/ten_minute_cas_intro
4. What is CAS?
open source
single sign on
for the Web
16. Provided Authentication Handlers
• LDAP • RADIUS
– Fast bind • SPNEGO
– Search and bind • Trusted
• Active Directory • X.509 certificates
– LDAP • Writing a custom
– Kerberos (JAAS) authentication
handler is easy
• JAAS
• JDBC
17. What About Portals?
Need to go get interesting content from different systems.
•E-mail
•Calendar
•E-Learning
•Student Information System
18. Password Replay
Password-
PW Protected
Service
PW
PW
PW Channel
PW Password-
PW PW Protected
Channel Service
PW
PW PW
Password-
Portal Channel Protected
Service
PW
19. Look Ma, No Password!
• Without a password to replay, how am I going
?
to authenticate my portal to other
applications?
20. “Proxy” CAS
• Some Web applications “proxy”
authentication to backing services on behalf
of the user
• “Proxied” applications/services may
themselves proxy authentication to others
• CAS authenticates both the end user and the
proxy
21. CAS – More than Authentication
• Return attributes of logged on users
• Adding support for standards
– OpenID
– SAML
• Single Sign-Out
• RESTful API
• Support for clustering
• Services management
• Remember me (long-term SSO)
23. Unicon Services for CAS
• Implementation Planning
• Branding and User Experience
• Installation and Configuration
• Custom Development
• Consulting and Mentoring
• CASification of uPortal, Sakai, and other applications
• Upgrades
For more information, please visit
http://www.unicon.net/services/cas
24. Questions?
Andrew Petro
apetro@unicon.net
www.unicon.net
26. Shibboleth
Enterprise federated identity software
− Based on standards (principally SAML)
− Extensive architectural work to integrate with existing systems
− Designed for deployment by communities
Most widely used in education, government
Broadly adopted in Europe
2.0 release implements SAML 2
− Backward compatible with 1.3
27. Shibboleth Project
Free & Open Source
− Apache 2.0 license
Enterprise and Federation oriented
Started 2000 with first released code in 2003
Excellent community support
− http://shibboleth.internet2.edu
− shibboleth-announce@internet2.edu
28. Why Federated Identity?
Authoritative information
− Users, privileges, attributes
Improved security
− Fewer user accounts in the world
Privacy when needed
− Fine control over attribute sharing
Saves time & money
− Less work administrating users
29. What Is SAML?
Security Assertion Markup Language (SAML)
XML-based Open Standard
Exchange authentication and authorization data between
security domains
− Identity Provider (a producer of assertions)
− Service Provider (a consumer of assertions)
Approved by OASIS Security Services
− SAML 1.0 November 2002
− SAML 2.0 March 2005
30. Major SAML Applications
Proquest
Microsoft DreamSpark
Project MUSE
Moodle, Joomla, Drupal
Thomson Gale
JSTOR, ArtSTOR, OCLC
Elsevier ScienceDirect
Blackboard & WebCT
Google Apps
WebAssign & TurnItIn
ExLibris MetaLib
MediaWiki / Confluence
Sakai & Moodle
uPortal
National Institutes of Health
DSpace, Fedora
National Digital Science
Library
Ovid
31. How Federated Identity Works
A user tries to access a protected application
The user tells the application where it’s from
The user logs in at home
Home tells the application about the user
The user is rejected or accepted
33. Role of a Federation
Agreed upon Attribute Definitions
− Group, Role, Unique Identifier, Courses, …
Criteria for IdM & IdP practices
− user accounts, credentialing, personal information
stewardship, interoperability standards, technologies, ...
Digital Certificates
Trusted “notary” for all members
Not needed for Federated IdM,
but does make things even easier
34. InCommon Federation
Federation for U.S. Higher Education & Research
(and Partners)
Over Three Million Users
163 Organizations
Self-organizing & Heterogeneous
Policy Entrance bar intentionally set low
Doesn’t impose lots of rules and standards
http://www.incommonfederation.org/
35. Questions?
John Lewis
jlewis@unicon.net
www.unicon.net