Implications of OpenID - Google Tech Talk
July 10, 2007 | Leave a Comment
The embeded video comes from a Google Tech Talk given by Simon Willison.
From the abstract:
Simon Willison OpenID is an emerging standard that provides simple, decentralised … all ยป authentication for the Web. OpenID follows the Unix philosophy, solving one small problem rather than attempting to tackle the many larger challenges posed by online identity. This talk will explore the implications of OpenID, and explore the best practices required to take advantage of this new technology while avoiding the potential pitfalls.
Tags: authentication, decentralized, google, google tech talks, identity, identity management, open id, openid, password, passwords, simon willison, standard, unix, willison
US Federal E-Authentication and Higher Education
March 28, 2007 | Leave a Comment
The United States federal government has been working on an E-Authentication project actively since 2003 in response to the E-Government Act of 2002. Movement has been slow, but there are many federal agencies now leveraging this infrastructure in a federated manner. For more details about the initiative, there is the publicly available Burton Group Report on the Federal E-Authentication Initiative. For an updated view see the GCN article, E-Authentication maps out its future.
Since then, there has been work to bridge both Liberty Alliance and Shibboleth-based federations with the e-Government services. Involvement also extends to the Post Secondary Electronic Standards Council (PESC) who is working with all these organizations to assure higher education is appropriately represented. Certainly NSF Fastlane and Federal Student Aid (FAFSA) seem like the most obvious first candidates to work with higher education institutions.
With all the activity surrounding the federal government deploying these services in a federated method, institutions should definitely be getting their internal infrastructure in place to support and interoperate with one of the major federations (InCommon, eGovernment, etc).
Tags: "liberty alliance", act, authentication, burton group, e-authentication, eauth, eauthentication, egovernment, fafsa, fastlane, federal, federated, federation, financial aid, gcn, government, higher education, identity, identity management, idm, incommon, initiative, liberty, pesc, pki, shibboleth
CAS Frappr Map
January 16, 2007 | 1 Comment
CAS is by far my favorite Web ISO solution. In the past I have posted about it’s popularity at other institutions.
Along those lines is this cool Frappr map of CAS deployments worldwide.
Tags: authentication, cas, frappr, frappr map, google maps, identity management, maps, sso, web iso, web sso, webiso, websso, yale cas, yalecas
Shibboleth For AuthZ
June 27, 2006 | 1 Comment
I had the opportunity to spend a fair amount of time discussing Shibboleth with Vishal Goenka and Josh Horner while I was at Summit 2006 in Orlando. I wanted to know about the support for Shibboleth that was supposed to be coming in a future version of Luminis and a bit about how it will work. During this discussion it became clear to me that Shibboleth’s core ability for attribute release allows applications to get the information they need to make authorization (authZ) decisions.
Until this point I had only though of Shibb as a solution for inter-organizational web-based single-sign on (Federated SSO or WebISO or WebSSO). I knew I could use Shibboleth internally to serve as my WebSSO, but we already have a hugely successful implementation of CAS in our environment. Additionally I haven’t been able to point at a killer application of the federated WebSSO ability. I knew this driver would be coming, but without immediate demand I was luke warm on Shibboleth.
However, the ability to use Shibboleth internally as a central authority for attribute release and in turn a consistent way of doing centralized AuthZ is a gigantically huge win for us. No longer will every homegrown application need to establish it’s own authorization layer with associated interfaces for maintaining that data. Now I have a serious driver for getting Shibboleth in our environment as soon as possible.
So that’s the lead-in to why Ted Wisniewski, Ken Kochien, and I are attending CAMP Shibboleth: Enabling Campus and Federated Single Sign-On.
Tags: authentication, authorization, camp_062, federated, federation, josh horner, shibb, shibboleth, single sign on, sso, summit, vishal goenka, webiso, websso
Password-less SSH Login
May 8, 2006 | 14 Comments
On occasion I have the need to establish trust relationships between Unix boxes so that I can script file transfers. In short, here’s how you leverage SSH to do that. Using the example of trying to connect from server ‘ender’ to get a file on ‘bean’ follow this example:
- Connect to ender
- type:
ssh-keygen -t rsa- default directory for keyfiles will be ~/.ssh/
- if you do not want to be prompted, leave passphrase blank
- copy the contents of .ssh/id_rsa.pub (there should only be one line)
- place this line on bean, in ~/.ssh/authorized_keys
- that’s it, you should now be able to ssh/sftp/scp from ender to bean without being prompted for a password!
For further detail and a more complete example check this site out.
Update: You must have "RSAAuthentication yes" in your /etc/ssh/sshd_config file. On many Linux installations this setting is commented out in a default install
Tags: authentication, keygen, linux, pass phrase, password, scp, sftp, solaris, ssh, system administration, unix
Web Initial Sign-on (WebISO)
March 8, 2006 | 6 Comments
Web initial sign-on or WebISO is a term defined by Internet2 as a system
designed to allow users, with standard web browsers, to authenticate to web-based services across many web servers, using a standard, typically username/password-based central authentication service.
They created the definition, but that doesn’t mean I need to like it… I’d like to propose an alternate working definition:
A single point for web based authentication which provides SSO across multiple systems and services.
I think that could be word-smithed further to really get it nice and concise. Please comment any recommendations you have on this.
What excites me about WebISO solutions is their fantastic ability to deep link systems and services. Users can bookmark or share URLs and when someone accesses these systems and services they will be required to provide credentials and then be directed through to what they need. This also sets up applications in a loosly coupled structure ideal for changing individual services without affecting others.
The drawback of this approach (when compared against a monolithic portal application) is how there is generally not a single welcome screen presented to users after authenticating. This loss of a “funnel” approach can cause weaknesses in communication and a perceived loss of control in your user population. Another potential area for weakness is providing a directory of services and ways for users to find what they need initially.
For those not familiar, a couple examples of real life WebISO tools would be: CAS (now JA-SIG as opposed to Yale), Pubcookie, WebAuth (from Duke), Shibboleth, and more.
Tags: "central authentication service", "web initial sign-on", authentication, cas, definition, duke, federation, identity, identity management, single sign on, sso, webauth, webiso, yale, yale cas
NERCOMP: Identity Management SIG
September 27, 2005 | 38 Comments
Yesterday we attended the NERCOMP Identity Management Workshop at the College of the Holy Cross.
Steve Carmody of Brown University explained an ideal infrastructure including a reminder for me to review “Identifiers, Authentication, and Directories: Best Practices for Higher Education” by Internet2. Carmody had a lot of great things to say, giving a solid overall update of how Internet2 and MACE are coming along with Shibboleth, Grouper, Signet, and various other initiatives. He also pointed me at Sun’s XACML Implementation which is very interesting.
Christopher Misra of UMass Amherst and Robert Banz of UMBC both presented on their current IdM initiatives. They both seem to have established IdM infratructures which need one enhancement or another.
In the final time slot was a general group discussion. I took this opportunity to ask how schools are establishing and maintaining credentials remotely. No one had an answer that was ideal, I suggested our current proposal and no one seemed to have any criticisms. One person suggested that maybe we don’t need to have as secure a system as we’re proposing to merely secure someone’s email. My reply to this was in a federated world with connections to the federal PKI bridge, InCommon services, and more, we are securing far more than email. It is our responsibility to have as high a level of assurance as possible.
Tags: authentication, authorization, credentials, grouper, higher education, identity, identity management, internet2, MACE, NERCOMP, password, passwords, shib, shibboleth, signet, xacml