Versions Compared

Old Version 2

changes.mady.by.user Paul B Hill

Saved on

compared with

New Version Current

changes.mady.by.user Paul B Hill

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Corrected links that should have been relative instead of absolute.

...

  • Provide a single sign-on service for use by MIT web applications requiring authentication
  • Provide a solution for authenticating to web applications from "kiosk machines" and other clients where X.509 certificates cannot be used.
  • Must work with all popular web browsers, and require no additional software to be installed on the user's client machine
  • Must initially support the existing authentication infrastructure (X.509 certificates), as well as username and password over TLS.
  • Central servers will be operated and maintained by NIST
  • Must provide a clear and intuitive interface to the end user, which does not detract from the experience of using the protected web applicationMust work with all popular web browsers, and require no additional software to be installed on the user's client machine
  • Must be easily integrated into existing application web servers. Procedure must be at least as easy as the current certificate mechanism and even easier if possible.
  • Must offer flexible configuration optionsMust be well documentedMust support web server pools
  • Must initially support the existing authentication infrastructure (i.e. Kerberos and X.509 certificates), and be extensible to support new authentication mechanisms as needed.Must support credential delegationstandards evolve and MIT's needs evolve.
  • Must support integration with eventual authorization systemMust support integration with eventual inter-institutional authentication systemauthorization systems
  • Must provide detailed logging/audit trail for diagnosis of problems.
  • Must support integration with emerging inter-institutional authentication systems
  • Should optionally support credential delegation
  • Ensure 24/7 availability of the service; scalability
  • Central servers provided and maintained by NISTMust support web server pools
  • Central servers must require minimal effort to maintain
  • Must offer flexible configuration options

Operations Requirements

  • Must be stable
  • Must be secure
  • Maximum FTE required to operate must be less than (TBD) unless new staff is funded
  • Must be scalable
  • Must include suffcient diagnostic information for operations to determine cause of problem quickly and easily under adverse circumstances
  • Should be easy to reinstantiate
  • Source code should be readily accessible and buildable so that "emergency" patches can be applied.

Evolving issues

WebSSO and OpenID

Technology Requirements

In choosing a base package for web authentication, ISDA was most interested in evaluating packages based on the following criteria:

...

    • Linux platform (preferred)
    • Apache 2.0.46+
    • OpenSSL 0.9.7+
    • cURL 7.10.2+
    • Kerberos v5
    • Perl 5.6.1+
    • Perl modules:
  • *- *-- HTML::Template
    • *-- FCGI
      • Crypt:SSLeay
    • mod_fastcgi (optional)
  • WebAuth has the following requirements for participating Application web servers (for initial version):
    • Linux or Solaris operating system
    • Apache 2.0.43+ or Apache 1.3+ (with SSL and DSO support)
    • OpenSSL v0.9.7+
    • Kerberos v5 (for authenticated communication with central server)
    • cURL 7.10.2+
    • OpenLDAP (for eventual optional LDAP support)
    • Cyrus SASL (for eventual optional LDAP support)

...