1 / 13

Internet2 WebISO Project

Internet2 WebISO Project. RL "Bob" Morgan, University of Washington. Topics. How it came to be Project status WebISO defined Project goals Architecture/Interface. How it came to be. Shibboleth project assumption: every campus has intra-campus web authentication

ruthharrington
Download Presentation

Internet2 WebISO Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet2 WebISO Project RL "Bob" Morgan, University of Washington

  2. Topics How it came to be Project status WebISO defined Project goals Architecture/Interface

  3. How it came to be Shibboleth project assumption: • every campus has intra-campus web authentication • startling discovery: not true The MACE way: do something about it • brief search for likely sharable implementations • U of Washington's "pubcookie" chosen as starting point • project started to make "appropriate progress" • now looking at architectural issues

  4. WebISO project status It's live: • web: http://middleware.internet2.edu/webiso/ • email: mace-webiso@internet2.edu, 40 on list • phone calls: bi-weekly, 3:30PM ET Tuesdays • active work on refining project goals Pubcookie distribution • 10 sites with code, 1 non-UW deployment (CMU), a few pending; BSD-style license • CMU-contributed changes being incorporated • freely-available distribution posted shortly

  5. WebISO defined Organizational web-based sign-on system Typically includes: • single sign-on (only "type something" once to access multiple targets) • use of standard authentication backend (LDAP, Kerberos, NIS, NT, etc) • keep passwords away from application web servers (have them only entered into "weblogin" server) "Most reinvented technology of the '90s"

  6. WebISO components Module for application webservers • check for authentication info on request, if not found redirect browser to weblogin server • interpret authentication info, pass to web application Weblogin server • accept redirected request, prompt for userid/password (or other authn method) • return browser to target webserver, with authn info Message format for appserver <-> weblogin

  7. The pubcookie story "Just another webiso" • written in C • Apache, MS-IIS target web servers • Apache-based weblogin • Kerberos 5 backend built-in, others possible • in production since 1999 • web-based documentation • signed/encrypted messages, sent using cookies • works with almost all browsers

  8. Pubcookie planned improvements • better docs, clearer installation procedures • more authentication backends, pluggable • X.509 client cert authn, Kerberos client authn • variable-length SSO session support • per-user, per-server settings • "blinded" userids • easier/automatic key management • authn tokens in URLs (cross-DNS-domains) • robustness, quality assurance, modularity ... • many require rethinking, justification, threat model

  9. Project goals Not just pubcookie enhancement/support Work with partner projects to ensure meeting requirements: • uPortal (http://mis105.mis.udel.edu/ja-sig/uportal/) • Open Knowledge Initiative (http://mit.edu/oki) • Shibboleth Define architecture and interface to which multiple webiso implementations can conform

  10. WebISO architecture + interface Application interface • many issues similar to Shibboleth target arch • webisos typically supply plain old userid • what about authorization data? • what about privacy protection? • forced/step-up authentication • app specifying authn method (pubcookie supports both Kerberos and SecurID) • app selectively turning off SSO • session management • e.g., "single sign-off" from all apps at once

  11. Webiso design centers Webiso implementations differ in approach • support for admin apps: high security/control • support for student-run apps: simplicity, ease of install/support • assume local software on client (eg Kerb plugin) • cross-DNS-domain support required • assume underlying authn infra (Kerb, X.509) • support home-grown apps, package apps, static pages Can one package do it all?

  12. Application interface 2 The 3-tier problem (aka delegation) • seen by many app servers that need to access backend services (eg IMAP) on behalf of user • seen by all portals that act as intermediaries • many sites implement "practical" solutions • can webiso provide a standard approach? • will any solution be dependent on underlying delegation technology, eg Kerberos or X.509? • is this a WebISO project problem?

  13. Conclusion WebISO project up and running Pubcookie code available Architecture/interface issues engaged Sites still reinventing, so need is there Partner projects need support http://middleware.internet2.edu/webiso/

More Related