MIDDLEWARE: SINGLE SIGN ON AUTHENTICATION AND AUTHORIZATION FOR GROUPS Ramesh Puljala
Rajani S. Sadasivam
John-Paul Robinson
Jill B. Gemmill
Academic Computing, Computer and Information Sciences, University of Alabama at Birmingham
Academic Computing, Electrical and Computer Engineering, University of Alabama at Birmingham
Academic Computing University of Alabama at Birmingham
Academic Computing, Computer and Information Sciences, University of Alabama at Birmingham
[email protected]
[email protected]
ABSTRACT In a large organization such as a university there exists a critical need to provide an authentication and authorization service using a centralized authoritative source. The centralized service should provide end-user applications the ability to identify people (authentication) and allow them proper access (authorization). The advantages of this are two-fold: 1) it reduces the burden of enduser application developers to provide an authentication and authoritative mechanism and allows them to focus on the application goals 2) it reduces the burden on the IT personnel maintaining the central authoritative source. The software download application was developed as a case study for a centralized authentication-authorization service. The goal of the application was to provide a web interface for download of licensed software from any location by University of Alabama at Birmingham (UAB) students, faculty and staff but not for others listed in the central directory such as alumni. The application leverages the capabilities of Java, in particular Servlets, Java Server pages (JSP), and the Java Naming and Directory Interface (JNDI) API, and uses the central Lightweight Directory Access Protocol (LDAP) server for authentication rather than using conventional application-specific data stores. The issues that were solved during the development of the software download application include using Secure Socket layer (SSL) for authentication but not while downloading software to prevent overhead, collecting the authenticated user’s group information for making a policy decision, generating unique session id to provide session management without using browser cookies, and developing a customizable multi-threaded timer mechanism to trigger a timeout if the bind (login) operation is not achieved within a specific period.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Conference ’00, Month 1-2, 2000, City, State. Copyright 2000 ACM 1-58113-000-0/00/0000…$5.00.
[email protected]
[email protected]
The application developed is robust, efficient, scalable, secure, and completely cross-platform and offers an example approach that can be generalized for providing authenticated access to protected resources where a central LDAP server is available. Future directions in this project will involve the integration of single sign-on architecture such as Pubcookie [13] or Shibboleth [15] to the software-download application.
Categories and Subject Descriptors K.6.5 [Management of Computing and Information Systems]: Security and Protection - authentication C.2.4 [Computer-Communication Networks]: Distributed Systems – distributed applications.
General Terms Security, Management, Design.
Keywords Central Authentication and Authorization, Authorization based on Groups, Identity Management, Directory Services
1. INTRODUCTION The explosive growth of technology is driving the next wave of economic and social growth. To take advantage of that growth, it is imperative to not only apply new technology, but also apply new thinking [14]. The current software systems used in large organizations such as corporations or universities lack many of the desirable qualities such as support for ease of integration, automation, and modification. Traditionally, large institutions are organized into units that perform different functions such as administration, human resources, information technology, research, development etc. Software systems used within these institutions have evolved to support each functional unit. As the operations became increasingly dependent on software systems, these systems became very elaborate, intertwined, and often customized to suit specific needs. As a result, these systems have become very complex and present a great deal of difficulty in their integration. Software systems should be more easily integrated and automated, while not inhibiting evolutionary changes or processes necessitated by changing business needs. The Internet has added a new dimension to enterprise scalability. Internet applications are likely to support hundreds of thousands and, possibly, millions of concurrent users connected to a service driven network. The accelerated pace inherent in a virtual,
information-driven model has placed a great deal of emphasis on responsiveness. In order to leverage the Internet, it is imperative not only to project services into various client channels, but also to do so repeatedly and in a timely manner, with frequent updates to both information and services. In this environment, timeliness is critical in gaining and maintaining a competitive edge. The fundamental challenge is not simply the creation of new tools, techniques, or computers. It is the creation of a new perspective and paradigm when incorporating and integrating the tools, techniques, and information technologies for the effective handling of practices - whatever they may be. The development of the Internet over the past few years has led to new requirements for controlling access to files, data, and other material made available on organization networks [17]. This paper addresses a critical need that exists in every organization for a centralized authentication and authorization service. Authentication is the process of ensuring the identity of users and authorization is the process of permitting/restricting access to resources based on their identity. A central authentication and authorization service would provide the organization the ability to provide single-sign on across multiple applications, allow untrusted services authenticate users without having access to their passwords, localize actual ("primary") authentication to a single application, which makes it easier to make changes in authentication logic if necessary without having to change numerous applications [18]. This allows end-user application developers to concentrate on application goals rather than focus on authentication and authorization. From an IT personnel point of view, keeping information correct in exactly one place reduces work that would be needed if you first needed to remember where to keep a particular piece of information, or worse needed to remember to store it in several different places. Additionally, enforcement of global policies for authentication and authorization is simpler with a centralized service. Systems administrators can manage users' IDs, application dialogs, and access paths from a single point, which allows them centralized control over security administration [16]. For a user, a centralized service would offer many advantages and allow him or her to seamlessly, and transparently navigate from one service to another. That is the user will be able to log on to one service and be able to access other services on the network without having to login repeatedly. The user will not have to create and maintain multiple accounts and passwords reducing the need to physically store passwords and thus reducing security risks. Without some sort of centralized server, every service would have a separate password such as an "email password" and a "web password" etc [11]. Redundancy on the service level would be next to impossible. A centralized service would allow a secure delegation of credentials enabling security, possibly across application and system boundaries [7]. Designing and developing a central authentication and authorization service is a complex task and presents many issues and challenges to the developers. The central authentication and authorization service must provide a flexible and standardized framework to accommodate the wide range and diverse nature of end user applications. Security mechanisms must be put into place to ensure the integrity of user credentials. Care must be taken to make sure that the security mechanism assist rather than hinder the final application goal of the project. For example, our case
study software download application required secure socket layer (SSL) [9] only for authentication and not for the application goal – downloading of licensed software. Session management techniques through session ids, tokens etc. must be developed to maintain session between the central authentication and authorization service and the end user applications. It is vital that the central authentication and authorization service does not violate any organizational policy or law such as Family Educational Rights and Privacy Act FERPA [6] when exchanging information with the end user applications. End-user applications developers must also be able to add local policy for authorization in addition to the global policy. This would allow end-user applications to authorize only a subset of group that the central service authorizes.
2. CASE STUDY – SOFTWARE DOWNLOAD APPLICATION The software download application was developed as a case study for a central authentication and authorization service. There were two main goals for developing the application. The specific goal was to provide a web interface for download of licensed software from any location by University of Alabama at Birmingham (UAB) students, faculty and staff but not for others listed in the central directory such as alumni. The overall goal was to use the application as a forum for understanding authentication, authorization, as well as security issues for developing a central authentication and authorization service. The current system for download of licensed software is based on Internet Protocol (IP) authentication, which prevents registered UAB students, faculty, and staff from downloading software outside the UAB IP domain. An existing solution available in the form of Virtual Private Network (VPN) [4] provides off-campus access to such users. A VPN solution is not a desirable one because of the difficulty in configuring it properly at the end-user's location. The solution was to provide an alternate Web based interface for downloading software that leverages the unique Blazer ID and password setup in UAB’s central authoritative Lightweight Directory Access Protocol (LDAP) [8] server for authentication and authorization. A BlazerID is a computer login name that the University of Alabama at Birmingham (UAB) is deploying campus-wide [5]. It is roughly equivalent to the screen name/”buddy list”/username identifier that a user may have used to access online services such as Yahoo!, America Online, or MSN. A decision was made to use the web pages of the existing software download application rather than create new web pages. The application was completely developed using standard JAVA [10] and Java 2 Enterprise Edition (J2EE) technologies like Servlets, Java Server Pages (JSP), Java Beans and particularly, Java Naming and Directory Interface (JNDI), which provides a unified interface to multiple naming and directory services, including LDAP. The Apache Web server [2] and the Tomcat application server [1] were selected to provide the development environment for software download application. The front-end login page sends the user credentials (Blazer ID and password) submitted through a form, over a secure 128-bit SSL connection. The Login Servlet uses the JNDI API to perform a bind operation with the backend LDAP server to authenticate user credentials. Once a user is bound to the LDAP server, the user attribute information obtained can be further used for authorization and making policy decisions. A customizable multi-
Over HTTPS
Login (JSP)
Using JNDI
Login (Servlet)
LDAP Server
Set Session Redirect HTTP Protected resource
Authz.jsp (JSP)
Html files
Over HTTP
Download (JSP)
Accesses the html fIles, parses, and displays the file
Invalidate Session
Protected resource Licensed software Logout (JSP)
Figure 1. Component Flow Diagram of software download application
threaded timer mechanism was developed to trigger a timeout if the bind operation is not achieved within a specific period. Upon successful authentication, the Servlet creates a unique session id to provide session management. This ensured that the session lifetime is under the control of the server-side program rather than the client browser. Another advantage is that the session identifier does not have to contain any information about the user credentials. This improved the chances for protecting the credentials and not violating any FERPA laws.
The user is then redirected to an authorization JSP page, which parses the existing web pages and adds authorization and session identifiers into the web page. Special tags were developed to distinguish between protected web pages and protected software. The user is also redirected to a Hyper Text Transfer Protocol (HTTP) connection to allow quicker download of software without encryption overhead. A standardized application logging mechanism in common log format was provided using Java Beans API to allow automated reporting mechanism using tools. The software download application was developed in a Windows 2000 server and ported to Linux server. Figure 1 depicts the component flow diagram of the software download application. The software download application presented us with understanding of many issues that must be solved for developing a central authentication and authorization service. These include
A mechanism for binding against a central authoritative source, Authenticating through a SSL connection, but download of software (application goal) through a HTTP connection, Generating session ids and session identifiers to maintain session and exchange authorization information in a secure manner without violating any laws or policies, A customizable timeout mechanism for triggering a timeout in case the login operation fails, and Generating reports of transactions that occurred during the authentication and authorization stages.
In the software download application, the issues listed above were solved using the tools that Java and Tomcat provided. JNDI was used to bind with the central LDAP server and for redirecting the application from SSL to HTTP, URL rewriting was used and cookies were turned off in the Tomcat server to force URL rewriting. Working on solving the various issues allowed us to understand the inner working and relationships of the pieces of the authentication and authorization puzzle. For a flexible central authentication and authorization service framework, these solutions have to be generalized using either a custom built mechanism or employing single sign on architecture that is available. The software download application developed is robust, efficient, scalable, secure, and completely cross-platform and is currently being set up for use by the UAB community.
3. FUTURE WORK The software download application presents a tightly integrated example of a centralized authentication and authorization service developed in Java. To serve a wide range of client applications, the centralized service must be loosely coupled and easily integrated into the client architecture. The centralized service should also allow federated administration in which the users are authenticated in one location and authorized in another location. This could be done through single sign on architectures such as pubcookie or shibboleth. Pubcookie is open-source software for intra-institutional web authentication [13]. Pubcookie consists of a standalone login server and modules for common web server platforms like Apache and Microsoft IIS. Together, these components can turn existing authentication services (like Kerberos [12], LDAP, or NIS [3]) into a solution for single signon authentication to websites throughout an institution. Exchange of session information is done through key servers and key clients using a self-generated shared secret. Shibboleth, a project of Internet2/MACE, is developing architectures, policy structures, practical technologies, and an open source implementation to support inter-institutional sharing of web resources subject to access controls [15]. In addition, Shibboleth offers a policy framework that will allow inter-operation within the higher education community. Key concepts within Shibboleth include federated administration, access control based on attributes, active management of privacy, standards based, a framework for multiple, scaleable trust and policy sets (clubs), and a standard (yet extensible) attribute value vocabulary. Our approach will be to integrate the software download application with Pubcookie/Shibboleth for authentication and authorization.
4. SUMMARY This paper addresses a critical need of large and distributed organizations for a centralized authentication and authorization service. This is especially true for organizations in which there exists a centralized database with user information. A case study approach is used to understand the issues and challenges that face an organization developing a centralized authentication and authorization service. The software download application was developed with the goal of providing Web access to download licensed software from any location by UAB students, faculty and staff but not others listed in the central directory such as alumni. The capabilities of Java and J2EE API were leveraged to provide a solution that is scalable, robust, and completely cross platform. More importantly, the software download application provided an understanding of many issues that must be solved to develop a centralized authentication and authorization service. The software download application offers an example approach that can be generalized for providing authenticated access to protected resources where a central LDAP server is available.
5. ACKNOWLEDGMENTS This material is based upon work supported by : National Science Foundation Grant Number.EPS-0096193 “Alabama EPSCoR Cooperative Agreement: Internet2 Initiative” PI: Robert Griffin (UA); co-PI’s David Cordes, (UA); Jill Gemmill (UAB), Sara Graves (UAH), Priscilla Hancock (UA), David Shealy (UAB). Any opinions,
findings, and conclusions or recommendation s expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation. Southeastern Universities Research Association – UAB is a National Science Foundation Middleware Initiative (NMI) TestBed Participant. Administrative Lead: David L. Shealy; Technical Lead: Jill Gemmill UAB Information Technology and its Department of Academic Computing: Sheila Sanders, Interim Vice President for Information Technology and David L. Shealy, PhD, Director of Academic Computing.
6. NOTE The software download application can be accessed at http://lists.it.uab.edu/software/Authenticate.jsp, the source code and installation instructions are available at http://metric.it.uab.edu/cvsweb/website-auth/, and the documentation is available at http://metric.it.uab.edu/~rajani/ProjectSummary/LicensedSoftwar eDowload_temp.html.
7. REFERENCES [1] APACHE TOMCAT APPLICATION SERVER home page. http://jakarta.apache.org/tomcat/. [2] APACHE WEB SERVER home page. http://www.apache.org/. [3] About NIS. http://www.ebsinc.com/solaris/network/nis.html#nis1. [4] About VPN. http://www.vpninsider.com/. [5] BLAZER ID CENTRAL. http://www.uab.edu/it/itd/techdocs/sblazerid.html [6] FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT. http://www.ed.gov/offices/OM/fpco/ferpa/. [7] IBM SINGLE SIGN ON – A CONTRARIAN VIEW. http://www7b.software.ibm.com/wsdd/library/techarticles/0108_b otzum/botzum.html. [8] Introduction to LDAP. http://www.gracion.com/server/whatldap.html. [9] Introduction to SSL. http://developer.netscape.com/docs/manuals/security/sslin/content s.htm. [10] JAVA home page. http://www.java.sun.com. [11] LDAP ACCOUNT SYNCHRONIZATION PROJECT. http://acctsync.sourceforge.net. [12] MIT KERBEROS home page. http://web.mit.edu/kerberos/www/. [13] PUBCOOKIE home page. http://www.washington.edu/pubcookie/. [14] Sadasivam, R. S., Tanik, U. J., and Tanik, M. M. A Test-Bed for the Correlation Center of Digital Services, Proceedings of IEEE SouthEastcon’02, April 2002.
[15] SHIBBOLETH home page. http://shibboleth.internet2.edu/, January 2003. [16] SINGLE SIGN-ON REDUCES HEADACHES, COSTS AT PTO. http://www.gcn.com/21_23/news/19597-1.html.
[17] Web Security Solutions: Central Authentication for Locally Developed Applications. http://www.educause.edu/ir/library/html/cem993c.html. [18] YALE ITS CENTRAL AUTHENTICATION SERVICE. http://www.yale.edu/tp/auth/cas10.html.
