CUWebAuth Technical Presentation
Download
Report
Transcript CUWebAuth Technical Presentation
CUWebAuth Technical Presentation
Pete Bosanko
Identity Management Team
Introduction
Apache and IIS Web servers
Authentication using Cornell NetID
Authorization
Introduction (cont.)
Website Authentication
SideCar
WebAuth (CUWebLogin)
Proxy (uportal)
Website Authorization
Permit Server
NetID
Valid User
Introduction (cont.)
Apache
solaris, aix, linux, mac/os, freebsd, windows,
yellowdog
Apache module
Integrated configuration and logging
IIS
Windows 2000 & 2003
ISAPI Filter
Integrated configuration
Getting Started
Download CUWebAuth
http://identity.cit.cornell.edu
Read release notes & documentation
Request a srvtab and register your server
http://identity.cit.cornell.edu
Install CUWebAuth
Basic CUWebAuth configuration
Configure restricted pages
CUWebAuth System
cuweblogin.cit.cornell.edu
9.10.11.12
web-agent.cuweblogin
permit1.cit.cornell.edu
kerberos.cit.cornell.edu
Registration Server
cuweblogind
cuweblogin.cgi
ro
Kerbe
s v4
4
sv
4
e ro
Kerb
e
CU
ro s v
SS
P
CUSSP
rb
Ke
v
TP
HT
SL
ia S
CUWebAuth (web server plugin)
CUSSP
SideCar
httpd
(Apache, IIS)
HTTP
Browser
foo.cit.cornell.edu
5.6.7.8
web-agent.foo
(Application Web Server)
enduser.some.domain
1.2.3.4
CUWebAuth Access Stages
Authentication
Verify site cookie
Try SideCar
Possibly redirect to cuweblogin.cit.cornell.edu
Authorization
Check valid NetID
Possibly send message to Permit server to
verify
Allow or deny access to restricted resource
CUWebLogin
User goes to protected URL
CUWebAuth redirects to cuweblogin.cit.cornell.edu
User logs in
cuweblogin session cookie issued (cornell.edu, one
time use)
cuweblogin redirects to original URL
CUWebAuth verifies cuweblogin cookie, destroys
cookie
CUWebAuth session cookie issued
Web page access granted
How CUWebLogin works
CUWebLogin - Server
Web Server - CUWebAuth
CUWebLogin Processes
cuweblogin.cit.cornell.edu
9.10.11.12
web-agent.cuweblogin
Registration Server
NN
dN
en
3.
ue
eq
2.
cu
w
lR
OK
,p
st
[cl
ie
ntI
P]
nt
IP
,C
OO
KI
E(
cu
et
wl
ID
)
OK
,N
11
.
[cl
ie
ify
lV
er
.c
uw
10
cuweblogin.cgi
}
12
1.
.1
10
9.
d)
X,
or
ed
XX
ict
sw
h
t
as
str
u
a
re
,P
l=
o/
ID
fo
uw
et
://
{c
(N
ttp
l ):
IT
:h
uw
dir E(c
BM
I
Re
SU
OK
8.
7.
ge
CO
Pa
?
gin
gin
Lo
blo N, ted
eb
W
N ic
we
6.
cu ndN estr
://
pe /r
tp
ht ID= =foo
5.
ss RL
se igU
or
]
cuweblogind
CUWebAuth (web server plugin)
9. http://foo/restricted COOKIE(cuwl)
httpd
(Apache, IIS)
12. Serve Page, COOKIE(foo)
Browser
1. http://foo/restricted
4. Redir: http://cuweblogin?
foo.cit.cornell.edu
5.6.7.8
web-agent.foo
(Application Web Server)
sessID=pendNNN,
origURL=foo/restricted
enduser.some.domain
1.2.3.4
CUWebAuth After Login
User goes to protected URL
CUWebAuth decrypts and verifies CUWebAuth cookie
Web page access granted
CUWebAuth (web server plugin)
httpd
(Apache, IIS)
1. http://foo/restricted, COOKIE(foo)
Browser
2. Serve Page
foo.cit.cornell.edu
5.6.7.8
web-agent.foo
(Application Web Server)
enduser.some.domain
1.2.3.4
Single Sign-On
curelogin cookie (cuweblogin.cit.cornell.edu)
User logs in once, keeps browser open
Can move between sites without repeating
log in
Single Sign-On
cuweblogin.cit.cornell.edu
9.10.11.12
web-agent.cuweblogin
Registration Server
cuweblogind
cuweblogin.cgi
8.
Re
rd
)
NN
dN
OK
,p
3.
ue
eq
2.
cu
w
lR
en
ntI
P]
st
[cl
ie
OK
,N
11
.
[cl
ie
ify
lV
er
.c
uw
o
sw
ed
as
ict
,P
str
ID ge
re
et
o/
Pa
fo
(N
://
IT ogin
ttp
BM b L
SU We
6.
7.
10
:h
nt
IP
,C
OO
KI
E(
cu
et
wl
ID
)
]
dir
?
gin
blo N, ted )
N ic in
we
cu ndN estr log
://
pe /r re
tp
ht ID= =foo (cu
E
5.
ss RL KI
se igU OO
or C
CUWebAuth (web server plugin)
9. http://foo/restricted COOKIE(cuwl)
httpd
(Apache, IIS)
12. Serve Page, COOKIE(foo)
Browser
1. http://foo/restricted
4. Redir: http://cuweblogin?
foo.cit.cornell.edu
5.6.7.8
web-agent.foo
(Application Web Server)
sessID=pendNNN,
origURL=foo/restricted
enduser.some.domain
1.2.3.4
POST Data
CUWebAuth uses hidden fields
Click to Proceed page
POST data carried via hidden fields @
cuweblogin.cit.cornell.edu
Works best with SSL
IIS Performance
CUWebAuth Major Issues
SideCar vulnerabilities
Helpdesk handles WebSite issues
Closing browser = logout
Stale ticket cache
Multiple address registrations for clusters
URL truncation issue
Need self-service for srvtab and CUWebAuth
registration
CUWebAuth Vulnerabilities
Site Cookie Replay (non-SSL)
Use of require valid-user
SideCar issues
Keeping up-to-date on CUWA releases
srvtab file needs to have access restricted
IIS – keep up on latest patches
Website security best practices
Roadmap
Moving toward open-source (ongoing)
Interim Release 1.3.x?......Spring ‘06
Support for Apache 2.2
Bug Fixes
Kerberos 5 Release 1.4.....Summer ’06
K5 Only
Addresses major issues
Grouper/Signet…………….Spring ‘07
Help
Web: http://identity.cit.cornell.edu
Get a srvtab
Download CUWebAuth
Lookup CUSSP error codes
Manage Permits
E-mail: [email protected]
Get help
Report a bug
Feature requests
CUWebAuth
Questions / Comments