210 likes | 225 Views
Internet2/WebISO & Pubcookie “Efforts in Web Authentication” TERENA TF-AACE workshop November 26, 2002 Stockholm, Sweden. Nathan Dors, University of Washington dors@washington.edu. Topics. What is WebISO? WebISO Working Group WebISO and Target Application Interfaces
E N D
Internet2/WebISO & Pubcookie “Efforts in Web Authentication”TERENA TF-AACE workshopNovember 26, 2002Stockholm, Sweden Nathan Dors, University of Washington dors@washington.edu
Topics • What is WebISO? • WebISO Working Group • WebISO and Target Application Interfaces • Pubcookie: History, Model, and Status
What is WebISO?A Working Definition • ”WebISO systems are designed to allow users, with standard web browsers, to authenticate to web-based services across many web servers, using a standard, typically username/password central authentication service.”
What is WebISO? WebISO = “Web Initial Sign-On” • handy terminology • a common IT problem • with many existing solutions • scope is authentication only (usually) • scope is intra-institution (usually) • WebISO is not a standard, nor an API
WebISO Use Scenarios • User visits local web portal, uses the local WebISO solution for sign-on • User visits multiple apps, on multiple servers, uses the local WebISO for “single sign-on” • User visits web-based email service, uses WebISO for 3-tier authn to backend IMAP server • User visits multiple apps, uses WebISO to authenticate with different levels of assurance
WebISO Service Model & Components • Weblogin service • Verification service • Web Application Agent • Web Application • Web browser
Example WebISO Solutions • Pubcookie • CAS (Yale) • WebAuth (Duke) • A-Select • Etc…
Internet2/MACE WebISO Working Group • Email discussion list • Conference calls (~2 per month) • Working group meetings • Internet2 Middleware Architecture Committee for Education provides oversight • http://middleware.internet2.edu/webiso
WebISO WG: Initial Focus • Share experience • Work towards a common solution • ensure compatibility with related projects (OKI, uPortal, Shibboleth) • selected “Pubcookie” for modification
Refined Focus • Share experience • Ensure compatibility • Create intellectual capital • Recommend best WebISO practices • system design • architectures • interfaces
Current Draft Documents • “WebISO: Service Model and Component Capabilities” • RL “Bob” Morgan, Univ of Washington • “Trusted Delegation of Privileges in an N-Tier Environment” • Chad La Joie, Virginia Tech University
Current Activity • Problem: How best to support vendor application integration with WebISO? • reduce resistance, reduce costs • Activities: • surveying interfaces to target applications in existing WebISO packages • investigating existing target application APIs (e.g. OKI Authn Specification, WebCT) • deliverables are undefined; recommendations
Web Application Agent Models Model 1: Server Module Model 2: Run-time library Web server Web server WebISO/WAA Webapp Webapp WebISO/WAA
Other Issues • Location-based authentication (kiosks) • 3-tier, delegated authn • Multiple authentication types • Privacy • Logout • “Cancel” or “no prompt” options • User interface • Non-human user agents
WebISO Futures… • Longevity of existing WebISO packages? • Convergence toward SAML formats? • Shibboleth influences? • Is it a viable local WebISO solution? • Will WebISO packages add Shib HS capability?
Next topic: Pubcookie • “A sufficiently featureful, • deployable, • open-source • WebISO package…”
Pubcookie History • 1999 - developed and deployed at the University of Washington • Jun 2001 - selected by Internet2/WebISO for initial activity towards general availability • May 2002 - face-to-face mtg in Seattle with designers and developers • current committers from Carnegie Mellon, Univ of Washington, Univ, Univ of Wisconsin • still licensed by Univ of Washington • Oct 2002 - P3.0 included in NSF National Middleware Initiative Release 2
Pubcooke 3.0 Components • Login server software • Verify against Kerberos 5, LDAP, /etc/shadow • Single Sign-On • Kiosk mode • Template-based HTML interface • Application server software • Apache 1.3 module • Microsoft ISAPI Filter for IIS 4.x, 5.x • delivers identity via environment (e.g. REMOTE_USER) • Key management utilities • All written in C
Pubcookie Challenges • Deployment • 3.x much easier than 1.x; autoconf for Unix • key management tools requires lite use of PKI • Open source development • Maintenance vs new features • Release management • Quality assurance • Contribution policy • Motivation • Support
Pubcookie 3.0.0 Release • Version 3.0.0-beta3 • released Oct 25, 2002 • could have been RC1… • but probably fortunate that it wasn’t • Current Status • awaiting fix to mod_pubcookie for Apache • login server is ready (as ready as any x.0.0 release) • ISAPI Filter for IIS is ready • documentation is improving with each release • need to develop FAQ, guidelines for self-signed certs
Pubcookie Roadmap • Release Pubcookie 3.0.0 (Dec 2002?) • Review feature requests • improve HTML templating • “global” logout • support authn across DNS domains • general 3-tier & location-based authn solutions • support Apache 2.0 • Reflect on design • SAML offers standard assertion format; POST profile • Rally together, set directions for 2003…