Internet 2/Web. ISO & Pubcookie “Efforts in Web Authentication” TERENA TF-AACE workshop November 26, 2002 Stockholm, Sweden Nathan Dors, University of Washington dors@washington. edu
Topics What is Web. ISO? Web. ISO Working Group Web. ISO and Target Application Interfaces Pubcookie: History, Model, and Status 2
What is Web. ISO? A Working Definition ”Web. ISO systems are designed to allow users, with standard web browsers, to authenticate to web-based services across many web servers, using a standard, typically username/password central authentication service. ” 3
What is Web. ISO? Web. ISO = “Web Initial Sign-On” • handy terminology • a common IT problem • with many existing solutions • scope is authentication only (usually) • scope is intra-institution (usually) • Web. ISO is not a standard, nor an API 4
Web. ISO Use Scenarios • User visits local web portal, uses the local Web. ISO solution for sign-on • User visits multiple apps, on multiple servers, uses the local Web. ISO for “single sign-on” • User visits web-based email service, uses Web. ISO for 3 -tier authn to backend IMAP server • User visits multiple apps, uses Web. ISO to authenticate with different levels of assurance 5
Web. ISO Service Model & Components • Weblogin service • Verification service • Web Application Agent • Web Application • Web browser 6
Example Web. ISO Solutions • Pubcookie • CAS (Yale) • Web. Auth (Duke) • A-Select • Etc… 7
Internet 2/MACE Web. ISO Working Group • Email discussion list • Conference calls (~2 per month) • Working group meetings • Internet 2 Middleware Architecture Committee for Education provides oversight • http: //middleware. internet 2. edu/webiso 8
Web. ISO WG: Initial Focus • Share experience • Work towards a common solution • ensure compatibility with related projects (OKI, u. Portal, Shibboleth) • selected “Pubcookie” for modification 9
Refined Focus • Share experience • Ensure compatibility • Create intellectual capital • Recommend best Web. ISO practices • system design • architectures • interfaces 10
Current Draft Documents “Web. ISO: Service Model and Component Capabilities” RL “Bob” Morgan, Univ of Washington “Trusted Delegation of Privileges in an N -Tier Environment” Chad La Joie, Virginia Tech University 11
Current Activity • Problem: How best to support vendor application integration with Web. ISO? • reduce resistance, reduce costs • Activities: • surveying interfaces to target applications in existing Web. ISO packages • investigating existing target application APIs (e. g. OKI Authn Specification, Web. CT) • deliverables are undefined; recommendations 12
Web Application Agent Models Model 1: Server Module Web server Web. ISO/WAA Model 2: Run-time library Web server Webapp Web. ISO/WAA 13
Other Issues • Location-based authentication (kiosks) • 3 -tier, delegated authn • Multiple authentication types • Privacy • Logout • “Cancel” or “no prompt” options • User interface • Non-human user agents 14
Web. ISO Futures… • Longevity of existing Web. ISO packages? • Convergence toward SAML formats? • Shibboleth influences? • Is it a viable local Web. ISO solution? • Will Web. ISO packages add Shib HS capability? 15
Next topic: Pubcookie “A sufficiently featureful, deployable, open-source Web. ISO package…” 16
Pubcookie History • 1999 - developed and deployed at the University of Washington • Jun 2001 - selected by Internet 2/Web. ISO for initial activity towards general availability • May 2002 - face-to-face mtg in Seattle with designers and developers • current committers from Carnegie Mellon, Univ of Washington, Univ of Wisconsin • still licensed by Univ of Washington • Oct 2002 - P 3. 0 included in NSF National Middleware Initiative Release 2 17
Pubcooke 3. 0 Components • Login server software • Verify against Kerberos 5, LDAP, /etc/shadow • Single Sign-On • Kiosk mode • Template-based HTML interface • Application server software • Apache 1. 3 module • Microsoft ISAPI Filter for IIS 4. x, 5. x • delivers identity via environment (e. g. REMOTE_USER) • Key management utilities • All written in C 18
Pubcookie Challenges • Deployment • 3. x much easier than 1. x; autoconf for Unix • key management tools requires lite use of PKI • Open source development • Maintenance vs new features • Release management • Quality assurance • Contribution policy • Motivation • Support 19
Pubcookie 3. 0. 0 Release • Version 3. 0. 0 -beta 3 • released Oct 25, 2002 • could have been RC 1… • but probably fortunate that it wasn’t • Current Status • awaiting fix to mod_pubcookie for Apache • login server is ready (as ready as any x. 0. 0 release) • ISAPI Filter for IIS is ready • documentation is improving with each release • need to develop FAQ, guidelines for self-signed certs 20
Pubcookie Roadmap • Release Pubcookie 3. 0. 0 (Dec 2002? ) • Review feature requests • improve HTML templating • “global” logout • support authn across DNS domains • general 3 -tier & location-based authn solutions • support Apache 2. 0 • Reflect on design • SAML offers standard assertion format; POST profile • Rally together, set directions for 2003… 21
Скачать презентацию Internet 2 Web ISO Pubcookie Efforts in Web
afd925b01d092bd2609428bcb8516559.ppt