Single Sign- -On across On across Single Sign Web Services Web Services Ernest Artiaga Artiaga Ernest CERN - - OpenLab OpenLab Security Workshop Security Workshop – – April 2004 April 2004 CERN
Outline Outline � Motivation and goals Motivation and goals � � Tools Tools � � Single sign Single sign- -on on � � Impersonation: Mapping certificates to accounts Impersonation: Mapping certificates to accounts � � Providing certificates to users Providing certificates to users � � Issues and actual status Issues and actual status � � Summary and conclusions Summary and conclusions �
Motivation Motivation � The environment: The environment: � � Services offered through web Services offered through web � � Applications using web servers as user interface Applications using web servers as user interface � � Clients on both Windows and Unix platforms Clients on both Windows and Unix platforms � � What we want ( What we want ( and what the users ask for and what the users ask for ): ): � � Authentication mechanism valid across platforms Authentication mechanism valid across platforms � � Single sign Single sign- -on on �
Goal Goal � Letting users access authorized resources… Letting users access authorized resources… � � Restricted web pages Restricted web pages � � Web Web- -based services (mail, …) based services (mail, …) � � …without re …without re- -typing usernames and passwords typing usernames and passwords � (single sign single sign- -on on) ) (
Tools Tools � Two different technologies Two different technologies � � Kerberos Kerberos � � Well Well- -known for certain applications known for certain applications � � “Supported” by modern operating systems “Supported” by modern operating systems � � PKI/Certificates PKI/Certificates � � Widely spread Widely spread � � Portability across platforms Portability across platforms �
Tools Tools � The drawbacks… The drawbacks… � � Kerberos Kerberos � � Incompatible extensions Incompatible extensions � � Few “ Few “kerberized kerberized” applications ” applications � � So, we decided to try PKI/Certificates as a base So, we decided to try PKI/Certificates as a base � for a Single Sign- -On mechanism. On mechanism. for a Single Sign
Single Sign- -on on Single Sign � CERN users have accounts in both Unix and CERN users have accounts in both Unix and � Windows environments Windows environments � Services are not replicated in both systems Services are not replicated in both systems � � Logon and Authentication mechanisms are Logon and Authentication mechanisms are � different different � A user must type his/her credentials again and again A user must type his/her credentials again and again � � Can the PKI/Certificates help? Can the PKI/Certificates help? �
Single Sign- -on: basic web access on: basic web access Single Sign � PKI/Certificates can be used to protect access PKI/Certificates can be used to protect access � to web pages to web pages � They provide portable authentication and access They provide portable authentication and access � control control � Available for both Apache and IIS servers Available for both Apache and IIS servers � � … But this is mainly local access … But this is mainly local access � � What happens if the server needs to access remote What happens if the server needs to access remote � data? data?
Single sign- -on on Single sign Services Web Server User � We must provide the user with a valid PKI/Certificate We must provide the user with a valid PKI/Certificate � � We must trust the web server We must trust the web server � � It will It will impersonate impersonate the user! the user! �
Impersonation in IIS Impersonation in IIS � Based on the Based on the Windows Identity Mapping Windows Identity Mapping � mechanism mechanism � Maps a certificate to a specific account Maps a certificate to a specific account � � The identity mapping can be managed at two The identity mapping can be managed at two � different places: different places: � The IIS server itself The IIS server itself � � The Active Directory The Active Directory �
IIS mapping IIS mapping � Specific to a web site Specific to a web site � � Flexible many Flexible many- -to to- -one mapping rules one mapping rules � � Based on issuer and subject of the certificate Based on issuer and subject of the certificate � � Provides a ticket valid for Provides a ticket valid for delegation delegation � � I.e. remote resources can be accessed I.e. remote resources can be accessed � � Username Username and and password password must be provided when must be provided when � setting the mapping setting the mapping � but they are but they are not kept synchronized not kept synchronized with windows with windows � accounts! accounts!
AD mapping AD mapping � Common for all web sites in the domain Common for all web sites in the domain � � Limited many Limited many- -to to- -one mapping one mapping � � There is a There is a single single account for all the certificates account for all the certificates � coming from the same issuer CA coming from the same issuer CA � One One- -to to- -one mapping one mapping is the most convenient is the most convenient � � Provides a ticket valid for Provides a ticket valid for delegation delegation since since � Windows .NET Server/IIS 6.0 Windows .NET Server/IIS 6.0
AD mapping (II) AD mapping (II) � Two flavors: manual and automatic Two flavors: manual and automatic � � In In manual mapping manual mapping, the administrator must specify , the administrator must specify � which certificate maps into which account (can be which certificate maps into which account (can be done programmatically) done programmatically) � In In automatic mapping automatic mapping, the certificate must contain , the certificate must contain � an extension (subjectAltName subjectAltName), with the User ), with the User an extension ( Principal Name (UPN) of the account in the Principal Name (UPN) of the account in the otherName field field otherName � No explicit mapping is needed No explicit mapping is needed � � Originally designed for Originally designed for smart cards smart cards �
Impersonation in Apache Impersonation in Apache � Impersonation via Kerberos ticket Impersonation via Kerberos ticket � � Uses extra software: Uses extra software: Kerberos leveraged PKI Kerberos leveraged PKI � � KCT (Kerberos Certificate Translation) KCT (Kerberos Certificate Translation) � � Mod_KCT Mod_KCT (Apache module) (Apache module) � � Procedure: Procedure: � � The user sends a PKI/Certificate (obtained through the The user sends a PKI/Certificate (obtained through the � KCA) to Apache KCA) to Apache � Apache uses KCT to recover the user’s Kerberos ticket Apache uses KCT to recover the user’s Kerberos ticket � � Apache uses the ticket to access user’s remote resources Apache uses the ticket to access user’s remote resources �
Providing certificates to users Providing certificates to users � There is a risk of users not taking care of their certificates… There is a risk of users not taking care of their certificates… � � It should be a It should be a transparent transparent mechanism mechanism � � It should be easy It should be easy � � It should be secure It should be secure � � Both Unix and Windows users receive a Kerberos ticket Both Unix and Windows users receive a Kerberos ticket � during logon during logon � We can issue a PKI/Certificate for a Kerberos ticket We can issue a PKI/Certificate for a Kerberos ticket �
Providing certificates to Users Providing certificates to Users � Kerberos Leveraged PKI Kerberos Leveraged PKI � KDC Login KCA Browser Web Server Credential Credential Cache Cache LibPKCS11
Providing certificates to users Providing certificates to users � KCA ( KCA (Kerberized Kerberized CA) supports Kerberos V CA) supports Kerberos V � (Windows 2000 compatible) (Windows 2000 compatible) � KCA clients are available for Unix and Windows KCA clients are available for Unix and Windows � � PKCS11 library (smart card emulation) is also PKCS11 library (smart card emulation) is also � available for Unix and Windows available for Unix and Windows � We have We have short term short term certificates certificates �
Recommend
More recommend