Page History

...

Provide a single sign-on service for use by MIT web applications requiring authentication
Provide a solution for authenticating to web applications from "kiosk machines" and other clients where X.509 certificates cannot be used.
Must work with all popular web browsers, and require no additional software to be installed on the user's client machine
Must initially support the existing authentication infrastructure (X.509 certificates), as well as username and password over TLS.
Central servers will be operated and maintained by NIST
Must provide a clear and intuitive interface to the end user, which does not detract from the experience of using the protected web application
Must be easily integrated into existing application web servers. Procedure must be at least as easy as the current certificate mechanism and even easier if possible.
Must be well documented
Must be extensible to support new authentication mechanisms as standards evolve and MIT's needs evolve.
Must support integration with authorization systems
Must provide detailed logging/audit trail for diagnosis of problems.
Must support integration with emerging inter-institutional authentication systems
Should optionally support credential delegation
Ensure 24/7 availability of the service; scalability
Must support web server pools
Central servers must require minimal effort to maintain
Must offer flexible configuration options

Operations Requirements

Must be stable
Must be secure
Maximum FTE required to operate must be less than (TBD) unless new staff is funded
Must be scalable
Must include suffcient diagnostic information for operations to determine cause of problem quickly and easily under adverse circumstances
Should be easy to reinstantiate
Source code should be readily accessible and buildable so that "emergency" patches can be applied.

In choosing a base package for web authentication, ISDA was most interested in evaluating packages based on the following criteria:

...