CUWebAuth Technical Presentation

Download Report

Transcript CUWebAuth Technical Presentation 

CUWebAuth Technical Presentation
Pete Bosanko
Identity Management Team
Introduction
 Apache and IIS Web servers
 Authentication using Cornell NetID
 Authorization
Introduction (cont.)
 Website Authentication



SideCar
WebAuth (CUWebLogin)
Proxy (uportal)
 Website Authorization



Permit Server
NetID
Valid User
Introduction (cont.)
 Apache



solaris, aix, linux, mac/os, freebsd, windows,
yellowdog
Apache module
Integrated configuration and logging
 IIS



Windows 2000 & 2003
ISAPI Filter
Integrated configuration
Getting Started
 Download CUWebAuth

http://identity.cit.cornell.edu
 Read release notes & documentation
 Request a srvtab and register your server

http://identity.cit.cornell.edu
 Install CUWebAuth
 Basic CUWebAuth configuration
 Configure restricted pages
CUWebAuth System
cuweblogin.cit.cornell.edu
9.10.11.12
web-agent.cuweblogin
permit1.cit.cornell.edu
kerberos.cit.cornell.edu
Registration Server
cuweblogind
cuweblogin.cgi
ro
Kerbe
s v4
4
sv
4
e ro
Kerb
e
CU
ro s v
SS
P
CUSSP
rb
Ke
v
TP
HT
SL
ia S
CUWebAuth (web server plugin)
CUSSP
SideCar
httpd
(Apache, IIS)
HTTP
Browser
foo.cit.cornell.edu
5.6.7.8
web-agent.foo
(Application Web Server)
enduser.some.domain
1.2.3.4
CUWebAuth Access Stages
 Authentication



Verify site cookie
Try SideCar
Possibly redirect to cuweblogin.cit.cornell.edu
 Authorization


Check valid NetID
Possibly send message to Permit server to
verify
 Allow or deny access to restricted resource
CUWebLogin
 User goes to protected URL
 CUWebAuth redirects to cuweblogin.cit.cornell.edu
 User logs in
 cuweblogin session cookie issued (cornell.edu, one




time use)
cuweblogin redirects to original URL
CUWebAuth verifies cuweblogin cookie, destroys
cookie
CUWebAuth session cookie issued
Web page access granted
How CUWebLogin works
CUWebLogin - Server
Web Server - CUWebAuth
CUWebLogin Processes
cuweblogin.cit.cornell.edu
9.10.11.12
web-agent.cuweblogin
Registration Server
NN
dN
en
3.
ue
eq
2.
cu
w
lR
OK
,p
st
[cl
ie
ntI
P]
nt
IP
,C
OO
KI
E(
cu
et
wl
ID
)
OK
,N
11
.
[cl
ie
ify
lV
er
.c
uw
10
cuweblogin.cgi
}
12
1.
.1
10
9.
d)
X,
or
ed
XX
ict
sw
h
t
as
str
u
a
re
,P
l=
o/
ID
fo
uw
et
://
{c
(N
ttp
l ):
IT
:h
uw
dir E(c
BM
I
Re
SU
OK
8.
7.
ge
CO
Pa
?
gin
gin
Lo
blo N, ted
eb
W
N ic
we
6.
cu ndN estr
://
pe /r
tp
ht ID= =foo
5.
ss RL
se igU
or
]
cuweblogind
CUWebAuth (web server plugin)
9. http://foo/restricted COOKIE(cuwl)
httpd
(Apache, IIS)
12. Serve Page, COOKIE(foo)
Browser
1. http://foo/restricted
4. Redir: http://cuweblogin?
foo.cit.cornell.edu
5.6.7.8
web-agent.foo
(Application Web Server)
sessID=pendNNN,
origURL=foo/restricted
enduser.some.domain
1.2.3.4
CUWebAuth After Login
 User goes to protected URL
 CUWebAuth decrypts and verifies CUWebAuth cookie
 Web page access granted
CUWebAuth (web server plugin)
httpd
(Apache, IIS)
1. http://foo/restricted, COOKIE(foo)
Browser
2. Serve Page
foo.cit.cornell.edu
5.6.7.8
web-agent.foo
(Application Web Server)
enduser.some.domain
1.2.3.4
Single Sign-On
 curelogin cookie (cuweblogin.cit.cornell.edu)
 User logs in once, keeps browser open
 Can move between sites without repeating
log in
Single Sign-On
cuweblogin.cit.cornell.edu
9.10.11.12
web-agent.cuweblogin
Registration Server
cuweblogind
cuweblogin.cgi
8.
Re
rd
)
NN
dN
OK
,p
3.
ue
eq
2.
cu
w
lR
en
ntI
P]
st
[cl
ie
OK
,N
11
.
[cl
ie
ify
lV
er
.c
uw
o
sw
ed
as
ict
,P
str
ID ge
re
et
o/
Pa
fo
(N
://
IT ogin
ttp
BM b L
SU We
6.
7.
10
:h
nt
IP
,C
OO
KI
E(
cu
et
wl
ID
)
]
dir
?
gin
blo N, ted )
N ic in
we
cu ndN estr log
://
pe /r re
tp
ht ID= =foo (cu
E
5.
ss RL KI
se igU OO
or C
CUWebAuth (web server plugin)
9. http://foo/restricted COOKIE(cuwl)
httpd
(Apache, IIS)
12. Serve Page, COOKIE(foo)
Browser
1. http://foo/restricted
4. Redir: http://cuweblogin?
foo.cit.cornell.edu
5.6.7.8
web-agent.foo
(Application Web Server)
sessID=pendNNN,
origURL=foo/restricted
enduser.some.domain
1.2.3.4
POST Data
 CUWebAuth uses hidden fields
 Click to Proceed page
 POST data carried via hidden fields @
cuweblogin.cit.cornell.edu
 Works best with SSL
 IIS Performance
CUWebAuth Major Issues
 SideCar vulnerabilities
 Helpdesk handles WebSite issues
 Closing browser = logout
 Stale ticket cache
 Multiple address registrations for clusters
 URL truncation issue
 Need self-service for srvtab and CUWebAuth
registration
CUWebAuth Vulnerabilities
 Site Cookie Replay (non-SSL)
 Use of require valid-user
 SideCar issues
 Keeping up-to-date on CUWA releases
 srvtab file needs to have access restricted
 IIS – keep up on latest patches
 Website security best practices
Roadmap
 Moving toward open-source (ongoing)
 Interim Release 1.3.x?......Spring ‘06


Support for Apache 2.2
Bug Fixes
 Kerberos 5 Release 1.4.....Summer ’06


K5 Only
Addresses major issues
 Grouper/Signet…………….Spring ‘07
Help
 Web: http://identity.cit.cornell.edu




Get a srvtab
Download CUWebAuth
Lookup CUSSP error codes
Manage Permits
 E-mail: [email protected]



Get help
Report a bug
Feature requests
CUWebAuth
Questions / Comments