CUWebAuth and CUWebLogin 2.0 Identity Management Team Campus Developers Meeting June 4, 2008
Download ReportTranscript CUWebAuth and CUWebLogin 2.0 Identity Management Team Campus Developers Meeting June 4, 2008
CUWebAuth and CUWebLogin 2.0 Identity Management Team Campus Developers Meeting June 4, 2008 K5 Migration Project 2008 2009 Dec Jan Feb Mar Apr May Jun Testing Jul Aug Sep Oct Discretionary migration window Nov Dec Jan Feb Buffer Mar Apr May Jun https://confluence.cornell.edu/display/CUWAL/Cornell%27s+CUWebLogin+Pages https://confluence.cornell.edu/display/CUWAL/CUWebAuth+2.0 Documentation What's New in 2.0 Kerberos 5 only Open-source GSSAPI Better Security Better Performance Simplified Administration Flexible Authorization Model New POST Data Handling Better Support Changes for Kerberos 5 Keytabs not Srvtabs ServiceID Self-Service Application Create your own keytabs Create your own ServiceID Delegate authority No More SideCar No More Legacy CUSSP Library Open System Documented Standards-based API's Full Source Code Available Localize Porting Customization Custom Tools Credential Creation & Parsing PermitG / Grouper lookup GSSAPI IETF - RFC 2743 C Bindings Java Bindings Wide OS Acceptance Better Security CUWebLogin - Kerberos Proxy No Credential Minting Better MITM Attack Prevention Performance CUWebLogin 1.0 20 logins/sec per server Single Server CUWebLogin 2.0 200+ logins/sec per server Load Balanced 4 Servers WebAuth Administration Fewer Directives 26 Directives Obsolete 5-6 New Ones Better Logging Fine Grained .htaccess VirtualHost Security Domain Flexible Authorization (Active Content) New Directives, more than remote-user… Allow anonymous access List group permissions Pass cuwa-groups to application How long ago did user login? Inspect cuwa-auth-time Pass cuwa-delegated-cred to application POST Data No More “Click to Continue” POST Data Handled By WebAuth Request Data Stays at Website Can Handle Larger POSTs Same Support Apache / IIS Better Support Apache and IIS – One Code Base 64-bit clean Thread safe No Name Collisions Shared Library Compatibility (Unix) Problem with Binary? Rebuilt It! Short List of Binaries RedHat, Solaris, Windows Apache 2.0, 2.2, IIS 6 Wiki Documentation Release Schedule Apache Go-Live: Now IIS Go-Live: one month-ish Q&A Pete Bosanko [email protected] Tom Parker [email protected] [email protected]