1 / 21

Nathan Dors, University of Washington dors@washington

Internet2/WebISO & Pubcookie “Efforts in Web Authentication” TERENA TF-AACE workshop November 26, 2002 Stockholm, Sweden. Nathan Dors, University of Washington dors@washington.edu. Topics. What is WebISO? WebISO Working Group WebISO and Target Application Interfaces

gspriggs
Download Presentation

Nathan Dors, University of Washington dors@washington

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Internet2/WebISO & Pubcookie “Efforts in Web Authentication”TERENA TF-AACE workshopNovember 26, 2002Stockholm, Sweden Nathan Dors, University of Washington dors@washington.edu

  2. Topics • What is WebISO? • WebISO Working Group • WebISO and Target Application Interfaces • Pubcookie: History, Model, and Status

  3. What is WebISO?A Working Definition • ”WebISO systems are designed to allow users, with standard web browsers, to authenticate to web-based services across many web servers, using a standard, typically username/password central authentication service.”

  4. What is WebISO? WebISO = “Web Initial Sign-On” • handy terminology • a common IT problem • with many existing solutions • scope is authentication only (usually) • scope is intra-institution (usually) • WebISO is not a standard, nor an API

  5. WebISO Use Scenarios • User visits local web portal, uses the local WebISO solution for sign-on • User visits multiple apps, on multiple servers, uses the local WebISO for “single sign-on” • User visits web-based email service, uses WebISO for 3-tier authn to backend IMAP server • User visits multiple apps, uses WebISO to authenticate with different levels of assurance

  6. WebISO Service Model & Components • Weblogin service • Verification service • Web Application Agent • Web Application • Web browser

  7. Example WebISO Solutions • Pubcookie • CAS (Yale) • WebAuth (Duke) • A-Select • Etc…

  8. Internet2/MACE WebISO Working Group • Email discussion list • Conference calls (~2 per month) • Working group meetings • Internet2 Middleware Architecture Committee for Education provides oversight • http://middleware.internet2.edu/webiso

  9. WebISO WG: Initial Focus • Share experience • Work towards a common solution • ensure compatibility with related projects (OKI, uPortal, Shibboleth) • selected “Pubcookie” for modification

  10. Refined Focus • Share experience • Ensure compatibility • Create intellectual capital • Recommend best WebISO practices • system design • architectures • interfaces

  11. Current Draft Documents • “WebISO: Service Model and Component Capabilities” • RL “Bob” Morgan, Univ of Washington • “Trusted Delegation of Privileges in an N-Tier Environment” • Chad La Joie, Virginia Tech University

  12. Current Activity • Problem: How best to support vendor application integration with WebISO? • reduce resistance, reduce costs • Activities: • surveying interfaces to target applications in existing WebISO packages • investigating existing target application APIs (e.g. OKI Authn Specification, WebCT) • deliverables are undefined; recommendations

  13. Web Application Agent Models Model 1: Server Module Model 2: Run-time library Web server Web server WebISO/WAA Webapp Webapp WebISO/WAA

  14. Other Issues • Location-based authentication (kiosks) • 3-tier, delegated authn • Multiple authentication types • Privacy • Logout • “Cancel” or “no prompt” options • User interface • Non-human user agents

  15. WebISO Futures… • Longevity of existing WebISO packages? • Convergence toward SAML formats? • Shibboleth influences? • Is it a viable local WebISO solution? • Will WebISO packages add Shib HS capability?

  16. Next topic: Pubcookie • “A sufficiently featureful, • deployable, • open-source • WebISO package…”

  17. Pubcookie History • 1999 - developed and deployed at the University of Washington • Jun 2001 - selected by Internet2/WebISO for initial activity towards general availability • May 2002 - face-to-face mtg in Seattle with designers and developers • current committers from Carnegie Mellon, Univ of Washington, Univ, Univ of Wisconsin • still licensed by Univ of Washington • Oct 2002 - P3.0 included in NSF National Middleware Initiative Release 2

  18. Pubcooke 3.0 Components • Login server software • Verify against Kerberos 5, LDAP, /etc/shadow • Single Sign-On • Kiosk mode • Template-based HTML interface • Application server software • Apache 1.3 module • Microsoft ISAPI Filter for IIS 4.x, 5.x • delivers identity via environment (e.g. REMOTE_USER) • Key management utilities • All written in C

  19. Pubcookie Challenges • Deployment • 3.x much easier than 1.x; autoconf for Unix • key management tools requires lite use of PKI • Open source development • Maintenance vs new features • Release management • Quality assurance • Contribution policy • Motivation • Support

  20. Pubcookie 3.0.0 Release • Version 3.0.0-beta3 • released Oct 25, 2002 • could have been RC1… • but probably fortunate that it wasn’t • Current Status • awaiting fix to mod_pubcookie for Apache • login server is ready (as ready as any x.0.0 release) • ISAPI Filter for IIS is ready • documentation is improving with each release • need to develop FAQ, guidelines for self-signed certs

  21. Pubcookie Roadmap • Release Pubcookie 3.0.0 (Dec 2002?) • Review feature requests • improve HTML templating • “global” logout • support authn across DNS domains • general 3-tier & location-based authn solutions • support Apache 2.0 • Reflect on design • SAML offers standard assertion format; POST profile • Rally together, set directions for 2003…

More Related