Open Source SSO 에 대한 핵심 정리 파워포인트 자료

www.chariotsolutions.com/slides/osconf2005-security.pdf

Open Source in the Corporate World

Open Source Single SignOn

Erin Mulder
Copyright 2005 Chariot Solutions

Agenda

• Introduction
• Single SignOn for Multiple Applications
– Shared directory (e.g. OpenLDAP)
– Proxy systems (e.g. Yale CAS)
– X.509 certificates
– NTLM
– Kerberos/SPNEGO
• Integration with Workstation Login
– Shared directory
– Kerberos
• CrossDomain & Federated Single SignOn

Proxy Systems

• User accesses web application and is redirected to authentication web app
• Authenticator collects username/password and validates against central auth store
• Sets a cookie and redirects user back to original application
• Application communicates with authenticator to ensure

• Advantages
– User only has to log in once per “session” to access multiple web applications
– Credentials are only passed across wire once
– Applications don’t need to trust each other

• Disadvantages
– Still requires at least one login per browser “session”
– Credentials are still passed across network
– Applications have to communicate with authenticator to validate cookie
– Doesn’t integrate seamlessly with J2EE declarative security (though you can usually fake this)

• Implementing with Open Source
– Check out the Central Authentication Service (CAS) project
– Most widely used implementation is Yale CAS Server
– Hook up to an auth store with CAS Generic Handler
– Get started in minutes with the “Quick Start” packages distributed by ESUPPortail, which include:
  • Yale CAS Server
  • Tomcat
  • CAS Generic Handler (CGH)
  • Ant scripts to install and run it all
– CASFilter supports protecting your application’s pages with
Servlet filters, JSP custom tags and direct API calls 

Cross Domain SSO

 • Cookies don’t work
• Client certificates do work
• Kerberos supports domain trust relationships
• Yale CAS 2.0 supports proxy ticketing
• Plenty of standards (Liberty, SAML, etc.) but little stable open source support
• Keep an eye on this area, but look to commercial tools for outofthebox features

[출처] Open Source SSO 에 대한 핵심 정리 파워포인트 자료|작성자 슬렁슬렁