Sunday 12 October 2014

Security (CAS SSO Strategy)

CAS (Central Authentication Service) SSO (Single Sign-On) for Web
  • CAS Platform Features
    • Open Source (Java implemented platform)
    • Standards Support { OpenID API, and SAML }
    • Single Sign-Out
    • RESTful API
    • Clustering Support
    • Services Management
    • SSO Remember Me
  • SSO Dfn { Single Sign-On with only one common app and login form trusted to authoritatively touch primary user credentials (user/pass) for clusters of segments (i.e. CAS}
  • MSO Dfn { Multiple Sign-On with different credentials for different clusters and/or segments }
  • LDAP Dfn { Lightweight Directory Access Protocol handles authentication (fast bind and search and bind) as an internet standard set of protocols (defines the communication language used between apps and servers, user permissions, and schema for the data, such as a store of credentials) used by LDAP-aware apps when accessing centralised information directories on a server (LDAP servers index all data) and filter the data they wish to lookup (i.e. SSO where one password for user is shared across multiple services) to requirements of each request. Note: LDAP excludes security and encrypted SSL }
  • LDAP Security {
    • Issues
      • Compromise to weakest link of any app by an adversary may leak primary credentials (as common passwords touched by all apps)
      • Portals authenticating to other systems by replaying credentials to Modules/Channels and then to servers
    • Solution
      • Redirect to CAS for authentication of all credentials so web apps do not touch credentials (passwords).
      • Proxy CAS authentication of end user and proxy app (portal services in proxy chain) via CAS (trusted intermediary) to backing services without replaying user credentials
  • CAS { Central Authentication Service is trusted intermediary interface that users interact with using their credentials for SSO, as it brokers authentication across multiple apps into a web SSO platform. CAS is not the actual system of record that stores the credentials } 
  • Alternatives to LDAP { 
    • Microsoft's Active Directory (AD) { LDAP + Kerberos (JAAS) }. Note: Kerberos requires trusted third-party. 
      • Logical Structure
        • Summary: Directory service with database (DB) that is partitioned into Naming Contexts (Schema, Configuration, Domain) and executable code (Directory System Agent that services requests and maintains DB). Objects (containing attributes) are defined by a schema and accessed using LDAP protocol contain information categories (resources such as computer hardware, and user accounts and groups with security principals accompanied by identifiers). Apps access AD via COM Interfaces (i.e. like an API)
        • Hierarchy: Objects are grouped into Organisational Units (OU) that serve as Admin Boundaries within Domains (stored in a DB), structured to apply Group Policies (i.e. access permissions) and Delegation of admin powers (to Domains and Sites), and identified by DNS name structure (uses TCP/IP to communicate)and namespace. Custom Scripts may be written to automated creation and updated User Groups account memberships in OUs. Domain Trees are collections of Domains. Forest (Security Boundary to access Objects) is collection of Domain Trees.
      • Physical Structure
        • Sites (Physical Groupings) defined by IP Subnets { 
          • Site Definitions common across Forest (independent of Domain and OU)
          • Sites control network traffic generated by Intrasite Replication  (i.e. 'pull' replication cycles from server where changes affected based on Change Notification) and refer clients to Domain Controllers (DCs)
          • Replication of AD is performed using RPC (Remote Procedure Calls) over IP and SMTP in some instances
          • Knowledge Consistency Checker (KCC) creates replication topology of Site Links with different 'costs' (depending on connection speed i.e. T1) and uses Sites to manage traffic
          • Domain Controllers (DCs) physically hold AD information and perform Backup and Restore of AD. A Subset of Objects replicated to DCs in the Domain Partition and are configured as GCs. Clustering of Multiple DCs using different hardware are recommended for automatic failover protection (redundancy and performance) for High Availability. DC DBs use Data Table, Link Table, and Security Table
          • Primary Domain Controller (PDC) is admin account with overall total control of Domain resources, handles externals Trusts (cross-boundary privileges for domain users seeking to access resources of other domains), and holds current passwords (i.e. similar to MSO platform mentioned earlier)
          • Member Services are non-DCs that are joined to AD
          • Global Catalog (GCs) server DBs replicated to themselves all Objects (with selected attributes, aka Partition Attribute Set (PAS) defined in the Schema) from all Domains, and so provide a global listing of all Objects in the Forest
          • Virtualisation { virtualised DCs for separate servers reduces hardware costs }
        • Connections { Low speed: WAN, VPN; High speed: LAN }
    • Oracle JAAS (Java Authentication and Authorisation Service) 
    • JDBC
    • RADIUS (Remote Authentication Dial-In User Security)
    • SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) { allows client and server to negotiation a security mechanism }
    • Trusted
    • X.509 certificates loaded into browsers { Directory Services computer networking standards that defined DAP (Directory Access Protocol) }
    • Custom Authentication Handlers
  • CAS server as SAML service provider
  • OpenID { Decentralises Authentication protocol (supports OAuth and here too) whereas CAS is Centralised Authentication protocol }
  • OAuth 2.0 { Authorisation protocol for Third-Party systems (OAuth WRAP was deprecated in favour of OAuth 2.0. CAS has an OAuth wrapper }
References:

No comments:

Post a Comment