Embed Size (px)
DESCRIPTION
Components: Web Single Sign-on CUWebAuth Software installed on individual web servers Enables the application’s use of CIT’s authentication service via SideCar OR CUWebLogin CUWebLogin Infrastructure component (two servers) Handles authentication on behalf of the web-based service
Citation preview
CIT’s Web Single Sign-on Service
SRM Report CUWebAuth Investigation
Identity Management TeamOIT/CIT Security
April 16, 2007
TopicsProducts in questionReview how we arrived at this juncturePresent results of our research in terms of service goalsMake recommendationObtain your support
Components: Web Single Sign-on
CUWebAuth Software installed on individual web servers Enables the application’s use of CIT’s
authentication service via SideCar OR CUWebLogin
CUWebLogin Infrastructure component (two servers) Handles authentication on behalf of the
web-based service
Feb Mar Apr May Jun
Kerberos 5 Upgrade: Where Are We Now?
Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
Campu
s Roll
out C
omple
te
K4 Shu
tdown
PS Stud
ent L
aunc
h
You A
re Here
Discretionary migration window
6/14 I
denti
ty Man
agem
ent R
ollou
t
2007 2008
Feb Mar Apr May Jun
Where Are We Now?
Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
Campu
s Roll
out C
omple
te
K4 Shu
tdown
PS Stud
ent L
aunc
h
You A
re Here
•Code review (4 code bases)
Discretionary migration window
6/14 I
denti
ty Man
agem
ent R
ollou
t
2007 2008
Feb Mar Apr May Jun
Where Are We Now?
Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
6/14 I
denti
ty Man
agem
ent R
ollou
t
Campu
s Roll
out C
omple
te
K4 Shu
tdown
PS Stud
ent L
aunc
h
You A
re Here
•Code review (4 code bases)•Security audit (new vulnerabilities)
Discretionary migration window
2007 2008
Feb Mar Apr May Jun
Where Are We Now?
Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
6/14 I
denti
ty Man
agem
ent R
ollou
t
Campu
s Roll
out C
omple
te
K4 Shu
tdown
PS Stud
ent L
aunc
h
You A
re Here
•Code review (4 code bases)•Security audit (new vulnerabilities)•Rollout requirements
(PS launch)
Discretionary migration window
2007 2008
Feb Mar Apr May Jun
Where Are We Now?
Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
PS Stud
ent L
aunc
h
Campu
s Roll
out C
omple
te
You A
re Here
K4 Shu
tdown
Discretionary migration window
6/14 I
denti
ty Man
agem
ent R
ollou
t
•Code review (4 code bases)•Security audit (new vulnerabilities)•Rollout requirements
(PS launch)
2007 2008
Feb Mar Apr May Jun
Where Are We Now?
Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
PS Stud
ent L
aunc
h
K4 Shu
tdown
You A
re Here
Discretionary migration window
6/14 I
denti
ty Man
agem
ent R
ollou
t
•Code review (4 code bases)•Security audit (new vulnerabilities)•Rollout requirements
(PS launch)
2007 2008
Campu
s Roll
out C
omple
te
Feb Mar Apr May Jun
Where Are We Now?
Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
2007 2008
PS Stud
ent L
aunc
h
K4 Shu
tdown
You A
re Here
Discretionary migration window
6/14 I
denti
ty Man
agem
ent R
ollou
t
•Code review (4 code bases)•Security audit (new vulnerabilities)•Rollout requirements
(PS launch)
Campu
s Roll
out C
omple
te
Feb Mar Apr May Jun
Where Are We Now?
Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
PS Stud
ent L
aunc
h
K4 Shu
tdown
You A
re Here
window of opportunity
Discretionary migration window
6/14 I
denti
ty Man
agem
ent R
ollou
t
•Code review (4 code bases)•Security audit (new vulnerabilities)•Rollout requirements
(PS launch)
2007 2008
Campu
s Roll
out C
omple
te
The Reasonable OptionsCUWA/CUWL 1.5 – Attempt to fix what we haveCUWA/CUWL 2.0 – Re-build it the way it should beMove to an outside solution
- Yale CAS- Stanford WebAuth- CoSign
Service goals consideredImpact of change on campus developer community Minimal work required to migrate to new versions Support for required functionality
Predictability of user experienceLong-term viability of CIT’s authentication solution for web-based services Performance and scalability as use of CUWA and CUWL increase Support for new server operating systems and web servers
(Apache, IIS) Support for future enhancements to authentication and
authorizationSecurity of central authentication servicesEfficient use of scarce CIT resources
Feb Mar Apr May Jun
Recommendation
Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
9/1 Id
entity
Man
agem
ent R
ollou
t
PS Stud
ent L
aunc
h
Develo
p CUW
ebAuth
2.0
•CUWebAuth 2.0 Implementation•Fall 2007 deployment•Increase migration window
Discretionary migration window
2007 2008
K4 Shu
tdown
Campu
s Roll
out C
omple
te
Early Adopters
1. Why not go with CUWA 1.5?
Condition of 8-year-old code has become a support burden Significant work required for even minor changes Impact of change on other portions of code difficult to test
prior to release, results in more problems for campus service providers
More bugs and security vulnerabilities as a result Currently requires 2 FTE’s
Increasing campus dependency on CUWebLogin = scalability and performance issues SideCar limitations and scheduled retirement Preference for web-based applications
2. What do we get by writing CUWA 2.0?
Product that is easier to maintain Simpler protocol Legacy dependencies eliminated Less code duplication (one code base instead of four) More extensible code (and all within local control)
More secure protocolMore scalable web single sign-on solutionNo loss of required functions and featuresRelatively minimal impact on campus developers
3. Will we have to give up other work?
Overall development effort not much different-CUWA 1.5 estimated 23.8 FTE weeks-CUWA 2.0 estimated 25.6 FTE weeks
CUWA 1.5 work requires the skill-set of four members of current IdM teamCUWA 2.0 work will require skill-set of only two members of current IdM teamCUWA 2.0 choice frees up skill set required for key projects like Active Directory, PS/STARS, Automated Provisioning, Grouper/Signet
4. Would an outside solution be smarter?
Assessment is “no” based on more than 100 hrs of researchAlternatives may offer short-term wins for IdM development teamBut would have significantly higher impact on user communityUsing these solutions off-the-shelf, without mods:
-we give up features we currently have (ex: POST data support)-or we accept the same vulnerabilities we have with CUWA 1.5
Making mods to these outside solutions-may take as much or more time as re-writing CUWA 2.0-requires unknown level of cooperation with other institutions -may cause entanglements and dependencies beyond our control
5. What are the longer-term implications?
Lower maintenance cost, from 2 FTE’s to 1Better securityMore predictable user experiencePositions us better for future enhancements to authentication and authorization servicesOpportunity for open-source release
Summary Pros and ConsWebauth 1.5 Lowest short-
term risk Limited benefit
Webauth 2.0 Best long term
solution Slightly more
short-term work
CAS Great java
integration. Most expensive for
the rest of campus. Security not great.
Stanford Lowest deployment
cost for Identity Management
Complex infrastructure and missing features
Questions?
http://identity.cit.cornell.edu/projects/index.html
