Академический Документы
Профессиональный Документы
Культура Документы
Abstract authentication
LDAP, NIS, database, NT, Active Directory, X509 certificates,
app. #1
app. #2
app. #3
app. #1
app. #2
app. #3
web browser
web browser
without SSO
with SSO
Authentication is centralized
One (redundant) authentication server
N-tier installations
Without transmitting any password!
Permanence
Developed by Yale University World-wide used (mainly Universities) Adopted by all the French educational community
J2EE platform
Very light code (about 1000 lines)
user database
app. #1
app. #2
app. #3
app. #1
app. #2
app. #3
authentication server
tId rd ne swo s pa
web browser
web browser
without SSO
with CAS
user database
app. #1
app. #2
app. #3
app. #1
app. #2
app. #3
authentication server
tId rd ne swo s pa
web browser
web browser
without SSO
with CAS
User authentication
CAS server
web browser
HTTPS
User authentication
user database
CAS server
HTTPS
netId password
TGC
application
ST
HTTPS
TGC
ST
web browser
TGC
application
ST
HTTPS
TGC
ST
web browser
TGC
CAS server
application
Authentication form
web browser
HTTPS
ID CAS server ST
application
netId password
HTTPS
TGC ST
ST
web browser
TGC
Remarks
Once a TGC acquired, authentication is transparent for the access to any CAS-ified application of the workspace Once authenticated by an application, a session should be used between the browser and the application
CAS server
LDAP directory
database
NIS domain
X509 certificates
Kerberos domain
Windows NT domain
flat files
Use provided libraries Add a few lines of code Note: you can also protect static resources
With mod_cas, an Apache module
N-tier installations
service
CAS server
ID PGT ST PGT
N-tier installations
service
ID PT
PT : Proxy Ticket
Applications passport for a user to a tier service Opaque and non re-playable ticket Very limited validity
PGT
One of the strongest points of CAS Use the pam_cas PAM module Example of PAM configuration:
auth sufficient /lib/security/pam_ldap.so auth sufficient /lib/security/pam_pwdb.so shadow nullok auth required /lib/security/pam_cas.so
server application
login/password login/password
CAS server
Objectives
Access an IMAP server from a web application that does not know the password of the user connected Let traditional mail clients authenticate normally (with a password) Do not modify the IMAP server
:-)
login / PT
IMAP server
login / password login / password
CAS server
LDAP directory
/etc/passwd
CAS server
sasl_authd
cache
login / password
sasl_authd daemon
LDAP directory
/etc/passwd
CAS server
No redundancy
No native load-balancing No fault-tolerance (but low load) (but very good reliability)
Enjoy CAS!