UNL Single Signon

1
(No Transcript)
2
UNL Single Sign-on

• Brett Bieber - bbieber2_at_unl.edu
• Paul Erickson - phe_at_unl.edu
• John Thiltges - jthiltges2_at_unl.edu

3
What were you thinking?!

• why are you subjecting yourself to this session?
• what questions do you have?

4
UNL Single Sign-on

• Who
• limited to UNL users (faculty/staff/student/guest)
  
• federation with outside systems not currently in
  scope

5
UNL Single Sign-on

• What
• Central Authentication Service (CAS) is an
  open-source authentication system
• http//www.jasig.org/cas
• end-user logs in once, and can pass to other
  (cooperating) systems without re-authenticating

6
UNL Single Sign-on

• what CAS is...
• Authentication
• Web-based
• Reduces password exposure

• and isnt...
• Authorization
• Non-web services

7
UNL Single Sign-on

• for developers
• CAS clients for most languages
• PHP, Perl, .NET
• Secure handling of passwords
• Dont need SSL certificates

8
UNL Single Sign-on

• When
• available now
• first project was UNL Digital Measures project
• around 15 clients in total - in various stages of
  beta, tinkering, and production

9
UNL Single Sign-on
Web browser (ideally supports JavaScript and
cookies but requires neither)
Central Authentication Server
2. Authentication (sends serviceID)
4. Validation
3. Ticket transfer (sends ticket)
Arbitrary web service
1. Initial request
4a. Ticket proxy
5a. Validation
Back-end (non-web) service
10
UNL Single Sign-on

• demo time
• the lovely John will drive
• http//login.unl.edu is the address for UNLs CAS
  service

11
UNL Single Sign-on

• technical considerations
• how long it took to get up and running
• any gotchas or lessons learned?

12
UNL Single Sign-on

• OK... so now what?
• getting access
• what does it take for an app to offload
  authentication to CAS?
• where to go for help?
• http//login.unl.edu/sp/config.shtml

13
UNL Single Sign-on
QA
14
super-secret bonus

• Warning following are the gory details on how
  CAS SSO actually does its thing

15
Oh, you had to ask...(architecture)
Web application
CAS server
Web client
16
Client visits web application
Web application
CAS server
Web client
17
Application redirects client to CAS
Web application
CAS server
Web client
18
CAS displays login page
Web application
CAS server
Web client
19
Client submits credentials
Web application
CAS server
Web client
20
CAS verifies credentials
Web application
CAS server
Web client
21
CAS sets ticket-granting-ticket cookie
Web application
CAS server
Web client
22
CAS redirects client to app with ticket
Web application
CAS server
Web client
23
App verifies ticket with CAS
Web application
CAS server
Web client
24
CAS returns client identity
Web application
CAS server
Web client
25
Application starts session with client
Web application
CAS server
Web client
26
Interaction is between app and client
Web application
CAS server
Web client
27
Client visits second web application
Web application
CAS server
Web client
28
Application redirects client to CAS
Web application
CAS server
Web client
29
CAS verifies ticket-granting-ticket
Web application
CAS server
Web client
30
CAS redirects client to app with ticket
Web application
CAS server
Web client