Presentation is loading. Please wait.

Presentation is loading. Please wait.

January 9, 2002 Internet2 WebISO Project RL "Bob" Morgan, University of Washington.

Published byElmer Daniels Modified over 8 years ago

Similar presentations

Presentation on theme: "January 9, 2002 Internet2 WebISO Project RL "Bob" Morgan, University of Washington."— Presentation transcript:

1 January 9, 2002 Internet2 WebISO Project RL "Bob" Morgan, University of Washington

2 Topics How it came to be Project status WebISO defined Project goals Architecture/Interface

3 How it came to be Shibboleth project assumption: •every campus has intra-campus web authentication •startling discovery: not true The MACE way: do something about it •brief search for likely sharable implementations •U of Washington's "pubcookie" chosen as starting point •project started to make "appropriate progress" •now looking at architectural issues, other implementations

4 WebISO project status It's live: •web: http://middleware.internet2.edu/webiso/ •email: mace-webiso@internet2.edu, 40+ on list •active work on refining project goals, gathering requirements, describing architecture Pubcookie package •code freely available, 1 non-UW deployment (CMU), several pending; BSD-style license •CMU, Hawaii contributions incorporated •support from Mellon Foundation for further UW work

5 WebISO defined Organizational web-based sign-on system Typically includes: •single sign-on (only "type something" once to access multiple target web sites) •use of standard authentication backend (LDAP, Kerberos, NIS, NT, etc) •keep passwords away from application web servers (only sent to "weblogin" server) "Most reinvented technology of the 1990s"

6 WebISO components Module for application webservers •check for authentication info on request, if not found redirect browser to weblogin server •interpret authentication info, pass to web application Weblogin server •accept redirected request, prompt for userid/password (or other authn method) •return browser to target webserver, with authn info Message format for appserver weblogin

7 The pubcookie story "Just another webiso" •written in C •Apache, MS-IIS target web servers •Apache-based weblogin •Kerberos 5 backend built-in, others possible •in production since 1999 •web-based documentation •signed/encrypted messages, sent using cookies •works with almost all browsers

8 Pubcookie planned improvements •better docs, clearer installation procedures •more authentication backends, pluggable •X.509 client cert authn, Kerberos client authn •variable-length SSO session support •per-user, per-server settings •"blinded" userids •easier/automatic key management •authn tokens in URLs (cross-DNS-domains) •robustness, quality assurance, modularity... •many require rethinking, justification, threat model

9 Project goals Not just pubcookie enhancement/support •e.g., Yale contributed their CAS implementation Work with partner projects to ensure meeting requirements: •uPortal (http://mis105.mis.udel.edu/ja-sig/uportal/) •Open Knowledge Initiative (http://mit.edu/oki) •Shibboleth Define architecture and interface to which many webiso implementations can conform

10 WebISO architecture + interface Application interface •many issues similar to Shibboleth target arch •webisos typically supply plain old userid to targets –what about authorization data? –what about privacy protection? •forced/step-up authentication –app specifying authn method (pubcookie supports both Kerberos and SecurID) –app selectively turning off SSO •session management –e.g., "single sign-off" from all apps at once

11 Webiso design centers Webiso implementations differ in approach •support for admin apps: high security/control •support for student-run apps: simplicity, ease of install/support •assume local software on client (eg Kerb plugin) •cross-DNS-domain support required •assume underlying authn infra (Kerb, X.509) •support home-grown apps, package apps, static pages, portals, backend services, etc Can one package do it all?

12 Application interface 2 The 3-tier problem (aka delegation) •seen by many app servers that need to access backend services (eg IMAP) on behalf of user •seen by all portals that act as intermediaries •many sites implement "practical" solutions •can webiso provide a standard approach? •will any solution be dependent on underlying delegation technology, eg Kerberos or X.509? •is this a WebISO project problem?

13 Conclusion WebISO project up and running Pubcookie code available Architecture/interface issues engaged Sites still reinventing, so need is there Partner projects need support http://middleware.internet2.edu/webiso/

Download ppt "January 9, 2002 Internet2 WebISO Project RL "Bob" Morgan, University of Washington."

Similar presentations

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.
Reinventing Email using REST. Anything addressable by a URI is called a resource GET, PUT, POST, DELETE WebDAV (MOVE, LOCK)

Reinventing using REST. Anything addressable by a URI is called a resource GET, PUT, POST, DELETE WebDAV (MOVE, LOCK)
Central Authentication Service Roadmap JA-SIG Winter 2004.

Central Authentication Service Roadmap JA-SIG Winter 2004.
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Multi-Organizational Authorization Services RL “Bob” Morgan, University of Washington Internet2/Educause Advanced CAMP Boulder, Colorado July 2003.

Multi-Organizational Authorization Services RL “Bob” Morgan, University of Washington Internet2/Educause Advanced CAMP Boulder, Colorado July 2003.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
UPortal Authentication Options: Design and Application Shawn Bayern Research programmer, Yale University Author, Web Development with JavaServer Pages.

UPortal Authentication Options: Design and Application Shawn Bayern Research programmer, Yale University Author, Web Development with JavaServer Pages.
UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.

UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
OmStore Cloud API Harshit Agarwal Sohil Habib. About Us ●We are graduate students at CMU ●Currently at CMU Silicon Valley campus ●Working part time with.

OmStore Cloud API Harshit Agarwal Sohil Habib. About Us ●We are graduate students at CMU ●Currently at CMU Silicon Valley campus ●Working part time with.
System Architecture University of Maryland David Henry Office of Information Technology December 6, 2002.

System Architecture University of Maryland David Henry Office of Information Technology December 6, 2002.
Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.

Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.
Authentication via campus single sign-on 2012 VIVO Implementation Fest.

Authentication via campus single sign-on 2012 VIVO Implementation Fest.
WebISO Survey of Technologies & Requirements Nathan Dors University of Washington CAMP, June 4-6, 2003 Copyright 2003 Nathan Dors. This work is the intellectual.

WebISO Survey of Technologies & Requirements Nathan Dors University of Washington CAMP, June 4-6, 2003 Copyright 2003 Nathan Dors. This work is the intellectual.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Similar presentations

Ads by Google