190 likes | 416 Views
CUWebAuth and CUWebLogin 2.0. Identity Management Team Campus Developers Meeting June 4, 2008. K5 Migration Project. CUWA 2.0 Alpha. CUWA 2.0 Beta. K5 Permit Server. CUWA 2.0 Production Release. You Are Here. Campus Rollout Complete. K4 Shutdown?. 2008. 2009. Dec. Jan. Feb. Mar.
E N D
CUWebAuth and CUWebLogin 2.0 Identity Management Team Campus Developers Meeting June 4, 2008
K5 Migration Project CUWA 2.0 Alpha CUWA 2.0 Beta K5 Permit Server CUWA 2.0 Production Release You Are Here Campus Rollout Complete K4 Shutdown? 2008 2009 Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Testing Discretionary migration window Buffer
https://confluence.cornell.edu/display/CUWAL/Cornell%27s+CUWebLogin+Pageshttps://confluence.cornell.edu/display/CUWAL/Cornell%27s+CUWebLogin+Pages
https://confluence.cornell.edu/display/CUWAL/CUWebAuth+2.0 Documentation
What's New in 2.0 • Kerberos 5 only • Open-source • GSSAPI • Better Security • Better Performance • Simplified Administration • Flexible Authorization Model • New POST Data Handling • Better Support
Changes for Kerberos 5 • Keytabs not Srvtabs • ServiceID Self-Service Application • Create your own keytabs • Create your own ServiceID • Delegate authority • No More SideCar • No More Legacy CUSSP Library
Open System • Documented Standards-based API's • Full Source Code Available • Localize • Porting • Customization
Custom Tools • Credential Creation & Parsing • PermitG / Grouper lookup
GSSAPI • IETF - RFC 2743 • C Bindings • Java Bindings • Wide OS Acceptance
Better Security • CUWebLogin - Kerberos Proxy • No Credential Minting • Better MITM Attack Prevention
Performance • CUWebLogin 1.0 • 20 logins/sec per server • Single Server • CUWebLogin 2.0 • 200+ logins/sec per server • Load Balanced • 4 Servers
WebAuth Administration • Fewer Directives • 26 Directives Obsolete • 5-6 New Ones • Better Logging • Fine Grained • .htaccess • VirtualHost Security Domain
Flexible Authorization (Active Content) • New Directives, more than remote-user… • Allow anonymous access • List group permissions • Pass cuwa-groups to application • How long ago did user login? • Inspect cuwa-auth-time • Pass cuwa-delegated-cred to application
POST Data • No More “Click to Continue” • POST Data Handled By WebAuth • Request Data Stays at Website • Can Handle Larger POSTs • Same Support Apache / IIS
Better Support • Apache and IIS – One Code Base • 64-bit clean • Thread safe • No Name Collisions • Shared Library Compatibility (Unix) • Problem with Binary? Rebuilt It! • Short List of Binaries • RedHat, Solaris, Windows • Apache 2.0, 2.2, IIS 6 • Wiki Documentation
Release Schedule • Apache Go-Live: Now • IIS Go-Live: one month-ish
Q&A Pete Bosanko pb10@cornell.edu Tom Parker jtp5@cornell.edu idmgmt@cornell.edu