CUWebAuth and CUWebLogin 2.0 Identity Management Team Campus Developers Meeting June 4, 2008
Download
Report
Transcript CUWebAuth and CUWebLogin 2.0 Identity Management Team Campus Developers Meeting June 4, 2008
CUWebAuth and CUWebLogin 2.0
Identity Management Team
Campus Developers Meeting
June 4, 2008
K5 Migration Project
2008
2009
Dec Jan Feb
Mar Apr May Jun
Testing
Jul
Aug Sep Oct
Discretionary
migration window
Nov Dec Jan Feb
Buffer
Mar Apr
May Jun
https://confluence.cornell.edu/display/CUWAL/Cornell%27s+CUWebLogin+Pages
https://confluence.cornell.edu/display/CUWAL/CUWebAuth+2.0
Documentation
What's New in 2.0
Kerberos 5 only
Open-source
GSSAPI
Better Security
Better Performance
Simplified Administration
Flexible Authorization Model
New POST Data Handling
Better Support
Changes for Kerberos 5
Keytabs not Srvtabs
ServiceID Self-Service Application
Create your own keytabs
Create your own ServiceID
Delegate authority
No More SideCar
No More Legacy CUSSP Library
Open System
Documented Standards-based API's
Full Source Code Available
Localize
Porting
Customization
Custom Tools
Credential Creation & Parsing
PermitG / Grouper lookup
GSSAPI
IETF - RFC 2743
C Bindings
Java Bindings
Wide OS Acceptance
Better Security
CUWebLogin - Kerberos Proxy
No Credential Minting
Better MITM Attack Prevention
Performance
CUWebLogin 1.0
20 logins/sec per server
Single Server
CUWebLogin 2.0
200+ logins/sec per server
Load Balanced
4 Servers
WebAuth Administration
Fewer Directives
26 Directives Obsolete
5-6 New Ones
Better Logging
Fine Grained
.htaccess
VirtualHost Security Domain
Flexible Authorization (Active Content)
New Directives, more than remote-user…
Allow anonymous access
List group permissions
Pass cuwa-groups to application
How long ago did user login?
Inspect cuwa-auth-time
Pass cuwa-delegated-cred to application
POST Data
No More “Click to Continue”
POST Data Handled By WebAuth
Request Data Stays at Website
Can Handle Larger POSTs
Same Support Apache / IIS
Better Support
Apache and IIS – One Code Base
64-bit clean
Thread safe
No Name Collisions
Shared Library Compatibility (Unix)
Problem with Binary? Rebuilt It!
Short List of Binaries
RedHat, Solaris, Windows
Apache 2.0, 2.2, IIS 6
Wiki Documentation
Release Schedule
Apache Go-Live: Now
IIS Go-Live: one month-ish
Q&A
Pete Bosanko [email protected]
Tom Parker [email protected]
[email protected]