2005-02-24 Yale-Rutgers video conf

Owned by Andrew Petro
Last updated: Mar 02, 2005Version comment
2 min read

Time of meeting: 12:30 - 2pm

Present:
Rutgers: Scott, Bill, Dmitriy
Yale: Andrew, Howard, Andy, Drew, Susan

WIND, SAML, M2

Proposed Agenda

  1. Summary of Columbia visit to Yale this week (Andy Newman)
  2. Presentation by Howard on SAML details as they pertain to use in CAS 3
  3. Yale commitment to validate object model by developing non-forms based authentication implementation. (Howard)
  4. Extension points
  • Talk about CredentialsToPrincipalResolver interface
  • Walk through WIND requirements in enough detail to validate model and extension points for implementing in CAS 3

Columbia and WIND

Report by Andy about the Yale-Columbia meeting wrt WIND and CAS.
See also Wiki page on Columbia.

SAML

Package of schemas identifying core information and administrative stuff. Ability to sign elements. A request and response protocol for exchanging these potentially signed XML productions.

Request response protcol

I build a request (potentially signed) expressing what I want. I send it to you. You respond with a (potentially signed) response.

Assertions

Attribute assertions

Express a scope, attribute name, and attribute value.

Metadata assertions

When is this assertion valid? Advice?

Authentication assertions

Includes information about how this user was authenticated. Options include

  • userid, password in the clear
  • userid, password over a secure transport protocol (SSL)
  • x509 in the clear
  • x509 over a secure transport protocol (SSL)
  • smart card
  • timer card
  • XML message signed
  • PGP
  • etc...

Assertions can be digitally signed.

There are several implementations

But let's use OpenSAML.
Shibboleth as an example of usage.

SAML as CAS 3 protocol

CAS accept SAML request as request for ticket validation. Signing the request woulda authenticate the requestor without our needing to do our callback trick. CAS responds with a SAML response including attribute assertions expressing netid, etc.

SAML as just a format for passing attribute values. We look good by using it: standards compliance, positive interaction with I2, etc.

SAML as internal CAS objects

SAML could be used as the CAS3 internal server-side representation of information about authentication. That is, SAML could be the native internal model which we translate to the CAS2 responses at the marshalling/view layer.

Decision at this video conference was not to try to do this: instead use CAS3 objects as server side representation of authentication information and translate those into SAML if desired at the view/marshalling layer.

NTLM / Cert non-interactive authentication

ACTION ITEM: Yale commitment to implement non-interactive authentication schemes to validate that support for these approaches are well-supported by CAS3.

SAML responses

ACTION ITEM: Yale commitment to implement CAS parsing SAML request for ticket validation and responding with SAML response.

Credentials and their strengths

How strongly was the user authenticated?

Is the CAS SSO cookie an authentication method? ACTION ITEM: Howard will produce diagram.

CAS3 extension points

We have on milestone 2 goal of expressing our extension points. ACTION ITEM: Transform Well Known Modifications page to express these extension points.

Other extension points:

  • Rutgers select-an-authentication-method pulldown.
  • CAS forwarding actual primary credentials to a portal so that the portal can use them to authenticate on behalf of the user to channel content sources.

Other M2 work todo

Improved testing, logging.
Monitoring via JMX

  • What other instrumentation?