| Wiki Markup |
|---|
{html}
<!-- For help with customizing IS&T Web page templates see http://web.mit.edu.ezproxyberklee.flo.org/ist/admin/styleguide/ or contact istweb@mit.edu" -->
<head>
<!-- Change text within title tags below to the title of your page -->
<title>IS&T: What is MIT Touchstone?</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<!-- Page Last Modified: 10/20/2008 -->
<!-- Insert "author" "keywords" and "description" meta tags here -->
<!-- For help with meta tags see http://web.mit.edu.ezproxyberklee.flo.org/ist/web/reference/create/metatags.html -->
<meta name="author" content="MIT Touchstone">
<meta name="keywords" content="MIT Touchstone, Touchstone, Shibboleth, web authentication, authentication, developer support
">
<meta name="description" content="IS&T: What is MIT Touchstone">
<!-- Please do not modify links to stylesheet or JavaScript -->
<!-- For help with style sheets see http://web.mit.edu.ezproxyberklee.flo.org/ist/admin/styleguide/stylesheets.html -->
<link rel="stylesheet" href="http://web.mit.edu.ezproxyberklee.flo.org/ist/styles/isstyles.css" type="text/css">
<script language="JavaScript" type="text/javascript" src="http://web.mit.edu.ezproxyberklee.flo.org/ist/scripts/rollover.js"></script>
<style type="text/css">
<!--
.style2 {color: #FF0000}
-->
</style>
</head>
<body bgcolor="#FFFFFF" text="#000000" marginwidth="0" marginheight="0" link="#006699" vlink="#666666" alink="#000000">
<!--Begin Information Services and Technology topnav - PLEASE DO NOT EDIT THIS CODE -->
<table width="100%" border="0" cellpadding="0" cellspacing="0" bgcolor="#993333">
<form method="get" action="http://search.mit.edu.ezproxyberklee.flo.org/search">
<tr>
<!-- Begin image shims for accessibility purposes -->
<!-- TD has no width set because NS6 is buggy -->
<td height="73" rowspan="2" align="left" valign="top" nowrap class="islogobg"><a href="#startcontent" accesskey="4"><img src="http://web.mit.edu.ezproxyberklee.flo.org/ist/images/header_logo-5px-shim.gif" width="5" height="73" border="0" alt="Skip to content Accesskey=4"></a><a href="#subnavigation" accesskey="3"><img src="http://web.mit.edu.ezproxyberklee.flo.org/ist/images/header_logo-5px-shim.gif" width="5" height="73" border="0" alt="Skip to sub-navigation Accesskey=3"></a><a href="http://web.mit.edu.ezproxyberklee.flo.org/ist/accessibility.html" accesskey="7"><img src="http://web.mit.edu.ezproxyberklee.flo.org/ist/images/header_logo-3px-shim.gif" width="3" height="73" border="0" alt="View our Accessibility Options"></a></td>
<!-- End image shims for accessibility purposes -->
<td width="207" height="73" rowspan="2" align="left" valign="top" class="islogobg"><a href="http://web.mit.edu.ezproxyberklee.flo.org/ist/index.html"><img src="http://web.mit.edu.ezproxyberklee.flo.org/ist/images/header_is.gif" width="207" height="73" alt="MIT Information Services and Technology" border="0"></a></td>
<td width="100%" height="43" align="left" valign="middle" nowrap="nowrap" bgcolor="#FFFFFF" class="topnav"><a href="http://web.mit.edu.ezproxyberklee.flo.org/ist/index.html" class="topnav" accesskey="2" title="Access Key: Alt (or control) + 2">Home</a><img src="http://web.mit.edu.ezproxyberklee.flo.org/ist/images/spacer.gif" width="5" height="8" alt="">
<a href="http://web.mit.edu.ezproxyberklee.flo.org/ist/about/index.html" class="topnav" title="about IS, and our contact info">About
IS&T</a><img src="http://web.mit.edu.ezproxyberklee.flo.org/ist/images/spacer.gif" width="5" height="8" alt="">
<a href="http://web.mit.edu.ezproxyberklee.flo.org/ist/contact.html" class="topnav" accesskey="0" title="Access Key: Alt (or control) + 0">Contact
IS&T</a><img src="http://web.mit.edu.ezproxyberklee.flo.org/ist/images/spacer.gif" width="5" height="8" alt="">
<a href="http://web.mit.edu.ezproxyberklee.flo.org/ist/sitemap.html" class="topnav" accesskey="6" title="Access Key: Alt (or control) + 6">Site
Map</a><img src="http://web.mit.edu.ezproxyberklee.flo.org/ist/images/spacer.gif" width="15" height="8" alt=""></td>
<td width="50%" height="43" align="right" valign="middle" nowrap="nowrap" bgcolor="#FFFFFF" class="topnav">
<img src="http://web.mit.edu.ezproxyberklee.flo.org/ist/images/spacer.gif" width="3" height="1" alt="" >
<span class="search">Search</span>
<label for="search" accesskey="s">
<input id="search" name="q" type="text" size="10" class="quicklinks"></label>
<img src="http://web.mit.edu.ezproxyberklee.flo.org/ist/images/spacer.gif" width="1" height="1" alt="">
<!-- Begin Google search fields -->
<input type="hidden" name="proxyreload" value="1"><input type="hidden" name="site" value="ist"><input type="hidden" name="client" value="ist"><input type="hidden" name="output" value="xml_no_dtd"><input type="hidden" name="proxystylesheet" value="http://web.mit.edu.ezproxyberklee.flo.org/ist/styles/google-ist2.xsl"><label for="go"><input id="go" name="submit" type="image" src="http://web.mit.edu.ezproxyberklee.flo.org/ist/images/icon_go.gif" alt="Go" align="top" ></label>
<a href="http://web.mit.edu.ezproxyberklee.flo.org/ist/search/" class="topnav" accesskey="5" title="Access Key: Alt (or control) + 5">Advanced Search</a>
<img src="http://web.mit.edu.ezproxyberklee.flo.org/ist/images/spacer.gif" width="20" height="8" alt=""></td>
</tr>
<tr>
<td height="30" colspan="2" align="right" valign="top" nowrap="nowrap" class="headerbg"><a href="http://web.mit.edu.ezproxyberklee.flo.org/ist/start/index.html" onMouseOver="img1.src=img1ovr.src;" onMouseOut="img1.src=img1off.src;"><img src="http://web.mit.edu.ezproxyberklee.flo.org/ist/images/header_start_up.gif" width="163" height="30" name="img1" border="0" alt="Getting Started"></a><a href="http://web.mit.edu.ezproxyberklee.flo.org/ist/services/index.html" onMouseOver="img2.src=img2ovr.src;" onMouseOut="img2.src=img2off.src;"><img src="http://web.mit.edu.ezproxyberklee.flo.org/ist/images/header_service_up.gif" width="167" height="30" alt="Getting Services by Topic or Alphabetically " border="0" name="img2"></a><a href="http://web.mit.edu.ezproxyberklee.flo.org/ist/help/index.html" onMouseOver="img3.src=img3ovr.src;" onMouseOut="img3.src=img3off.src;"><img src="http://web.mit.edu.ezproxyberklee.flo.org/ist/images/header_help_up.gif" width="137" height="30" alt="Getting Help" border="0" name="img3"></a></td>
</tr>
</form>
</table>
<!-- End Information Services and Technology topnav -->
<table width="98%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="179" align="left" valign="top">
<!--Left Nav -->
<table width="220" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="408" colspan="3" align="left" valign="top"><br> <img src="http://web.mit.edu.ezproxyberklee.flo.org/ist/images/circle_sm_news_image.gif" width="194" height="186" alt=""></td>
</tr>
</table>
<!-- END Left Nav -->
<a id="subnavigation" name="subnavigation"></a> <br>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="30"><img src="http://web.mit.edu.ezproxyberklee.flo.org/ist/images/spacer.gif" ALT="" width="27" height="10"></td>
<td width="163" valign="top">
<p><a href="http://web.mit.edu.ezproxyberklee.flo.org/touchstone/www/index.html">MIT Touchstone</a></p>
<table width="160" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="10"> </td>
<td><p>
<a href="applications.html">Touchstone enabled applications</a><br />
<a href="https://idp.touchstonenetwork.net/cams/CreateAccount.action">Register for a Collaboration Account (not for MIT people)</a><br />
<!-- <a href="awareness.html">Awareness & Education</a><br /> -->
<!-- <a href="resources.html">Resources</a><br /> -->
<a href="http://wikis.mit.edu.mit/confluence/display/TOUCHSTONE/MIT+Touchstone+FAQ">FAQ</a><br />
<a href="http://web.mit.edu.ezproxyberklee.flo.org/ist/org/isda/">ISDA</a> </p></td>
</tr>
</table>
<p><a href="">Obtaining X.509 certificates for a server</a></p>
<p><a href="http://www.incommonfederation.org/">InCommon</a></p>
<p><a href="http://shibboleth.internet2.edu/">Shibboleth at Internet2</a></p>
<!-- <p><a href="../sensitive/index.html">Sensitive Data</a></p> -->
<!-- <p><a href="../related/index.html">Related Services</a></p> -->
<p> </p>
<td width="27"><img src="http://web.mit.edu.ezproxyberklee.flo.org/ist/images/spacer.gif" ALT="" width="27" height="10"></td>
</tr>
<tr>
<td colspan="3"><img src="http://web.mit.edu.ezproxyberklee.flo.org/ist/images/title_relatedlinks.gif" alt="Related Links" width="206" height="20"></td>
</tr>
<tr>
<td> </td>
<td>
<!-- <p><a href="mailto: security@mit.edu">Contact IT Security Support </a></p> -->
<p><a href="http://mv.ezproxy.com.ezproxyberklee.flo.org/answer/">Stock Answers</a> </p>
<p> </p></td>
<td> </td>
</tr>
<td width="30"><img src="http://web.mit.edu.ezproxyberklee.flo.org/ist/images/spacer.gif" ALT="" width="30" height="1"></td>
</tr>
</table></td>
<!-- Main page content -->
<td align="left" valign="top"> <table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="115%"> <a id="startcontent" name="startcontent"></a><a name="top"></a><br>
<h1>What is MIT Touchstone?</h1>
<ul>
<li><a name="heading8.1" id="heading8.1"></a><strong>What is MIT Touchstone?</strong>
<p>
MIT Touchstone is a new suite of technologies for authenticating a variety of web applications, being introduced by IS&T.
It is focused on supporting web applications. It is not suitable for authenticating native desktop applications.
</p>
</li>
<li><a name="heading8.2" id="heading8.2"></a><strong>Do I need MIT Touchstone?</strong>
<p>
MIT Touchstone and Shibboleth is of interest if you're supporting a web application on an Apache, Microsoft IIS, or Netscape/iPlanet/Sun web
server that needs to authenticate its users, especially if the population is drawn from not only the faculty, staff, or students of
MIT, but also other educational institutions in the InCommon federation and other users that do not already
have an MIT Kerberos account. MIT Touchstone will enable users to login with their MIT Kerberos account
or other account, but avoids the need for your application to validate or manage passwords. Various kinds of attribute
information about users can also be provided to your application for personalization or, in some limited cases, authorization.
</p>
</li>
<li><a name="heading8.3" id="heading8.3"></a><strong>Is MIT Touchstone a single sign-on solution?</strong>
<p>
MIT Touchstone does provide a single sign-on solution for applications that have been coded and configured to
use the system. Within the context of Touchstone enabled applications, users will be able to seamlessly transition
between systems without being prompted for additional authentication information.
</p>
</li>
<li><a name="heading8.4" id="heading8.4"></a><strong>Why has IS&T introduced Touchstone?</strong>
<p>
MIT Touchstone introduces some new functionality into the MIT environment. It allows MIT people to use
a wider variety of authentication mechanisms, under a variety of conditions, when accessing a number of
MIT web applications. As we move forward it will also enable MIT users to access some web applications at
other sites without establishing a new account with the other site. In addition to supporting MIT X.509
certificates, people may also use Kerberos, or a username and password over TLS. Web developers at MIT will
be able to use federated authentication, so that they can easily determine whether an MIT user, or a user from
another authentication authority, has authenticated.
</p>
</li>
<li><a name="heading8.5" id="heading8.5"></a><strong>How will MIT Touchstone improve the user experience?</strong>
<p>
MIT users will be able to use a variety of mechanisms to authenticate to Touchstone enabled web applications. This
means that if a user is borrowing a computer or sharing a computer with others, they may choose to use a password
instead of installing a certificate. On the other hand, users of the WIN.MIT.EDU or Athena environments may choose
to configure their profiles so that native Kerberos is used. This means that the system will automatically
authenticate the user to web applications when needed by using the Kerberos ticket obtained when first logging into
the workstation. Of course, certificates are still supported so users can continue to use their current procedures.
</p>
</li>
<li><a name="heading8.6" id="heading8.6"></a><strong>Why should a department, lab, or center, integrate their web application into Touchstone?</strong><br>
<p>
By adopting one technology, the web server essentially outsources the authentication task and ends up enabling the users
to authenticate with a much wider variety of authentication mechanisms, including passwords, X.509 certificates, Kerberos,
and OpenID. At the same time the web server will avoid the typical risks and concerns associated with consuming passwords.
Nor will the system have to have any code to deal with certificates, Kerberos, or OpenID.
</p>
<p>
Another benefit is that the web application will no longer have to deal with local accounts or special accounts for external
users and collaborators. Instead the management of that community can be outsourced to Touchstone's external account management
system. By doing so, the users are provided with self-service passwords resets, and the ability to use OpenID if they don't want
to use passwords. This means that web applications will have the same interfaces and code paths to deal with authenticated users.
</p>
<p>
DLCs should also be aware that Touchstone supports federated authentication. This means that as Touchstone establishes relationships
with other identity providers, the web applications will be able to interact with an even wider audience if desired. Touchstone
has already established a relationship with ProtectNetwork.org and is expected to join the InCommon federation in the near future.
</p>
</li>
<li><a name="heading8.7" id="heading8.7"></a><strong>What technologies does Touchstone use?</strong>
<p>
MIT Touchstone is actually a suite of technologies, including Stanford's WebAuth, Internet 2's Shibboleth, SAML (the Security
Assertion Markup Language), and a new account management system for some users outside of the traditional MIT community. The system
uses HTTP redirection extensively, and uses other standard web technologies such as SSL.
</p>
<p>
The primary login server is using Stanford's WebAuth package for initial authentication. The login server
will initially support three authentication mechanisms -- MIT X.509 certificates, Kerberos (via the HTTP/SPNEGO
protocol), and MIT usernames and passwords over TLS. The WebAuth server is bound to a Shibboleth Identity Provider
(IdP). The IdP is then treated as a trusted third party by the web application servers; it makes signed assertions
to these applications servers, communicating information about the authenticated users to each web server. From an
architectural perspective, this is very similar to the model used by Kerberized applications on campus today, although
different protocols are used.
Each web application server that wishes to use Touchstone will have to run the Shibboleth Service Provider (SP) component
as well. This required software is available for Apache and IIS web servers; in the future we may also support web servers
that use Tomcat without Apache, but that option will not be available initially.
</p>
<p>
In conjunction with Touchstone, IS&T is creating a new accounts management system intended to support users that are
not part of the core MIT community, and thus would not have MIT Kerberos accounts. Accounts managed by this system
will identify the user by their external email address. This system will also provide a login server that will accept
passwords; additionally, OpenID will be supported as an authentication mechanism. This system will also serve as a Shibboleth
Identity Provider (IdP) within the Touchsone environment.
</p>
</li>
<li><a name="heading8.8" id="heading8.8"></a><strong>What applications support MIT Touchstone?</strong><br>
<p>
A list of applications that support MIT Touchstone can be found <a href="http://mit.edu.ezproxyberklee.flo.org/touchstone/www/applications.html">here</a>.
</p>
</li>
</ul>
<p align="right"><small>[<a href="#top">Back to top</a>]</small></p>
<hr size="1" noshade>
</td>
</tr>
<tr>
<td> </td>
</tr>
</table>
</td>
</tr>
</table>
<!-- begin Information Services and Technology footer -->
<table border="0" cellspacing="0" cellpadding="0">
<tr>
<td height="16" colspan="3"> </td>
</tr>
<tr valign="top" align="left">
<td width="13"> </td>
<td width="207" valign="middle"><a href="http://web.mit.edu.ezproxyberklee.flo.org"><img src="http://web.mit.edu.ezproxyberklee.flo.org/ist/images/footer_mit_logo.gif" width="62" height="36" alt="MIT" border="0" /></a></td>
<td><small><a href="http://web.mit.edu.ezproxyberklee.flo.org/ist/index.html" accesskey="2" title="Access Key: Alt (or control) + 2">Home</a>
| <a href="http://web.mit.edu.ezproxyberklee.flo.org/ist/start/index.html" title="learn the basics of computing and communications">Getting
Started</a> | <a href="http://web.mit.edu.ezproxyberklee.flo.org/ist/services/index.html" title="find information, products, and services">Getting
Services</a> | <a href="http://web.mit.edu.ezproxyberklee.flo.org/ist/help/index.html" accesskey="8" title="Access Key: Alt (or control) + 8">Getting
Help</a> | <a href="http://web.mit.edu.ezproxyberklee.flo.org/ist/about/index.html" title="about IS, and our contact info">About
IS&T</a> | <a href="http://web.mit.edu.ezproxyberklee.flo.org/ist/accessibility.html" accesskey="7" title="Access Key: Alt (or control) + 7">Accessibility</a><br />
Ask a <a href="http://web.mit.edu.ezproxyberklee.flo.org/ist/help/index.html">technology question</a> or send a <a href="http://web.mit.edu.ezproxyberklee.flo.org/ist/contact.html" accesskey="0" title="Access Key: Alt (or control) + 0">comment about this web page.</a><a href="http://web.mit.edu.ezproxyberklee.flo.org/ist/accessibility.html" accesskey="0"></a></small></td>
</tr>
</table>
<br />
<!-- Begin MIT-use only web reporting counter -->
<img src="http://mv.ezproxy.com.ezproxyberklee.flo.org/tally" width="1" height="1" alt="">
<!-- End MIT-use only web reporting counter -->
<!-- end Information Services and Technology footer -->
</body>
{html} |
What is MIT Touchstone?
MIT Touchstone is a new suite of technologies for authenticating a variety of web applications, being introduced by IS&T.
Is MIT Touchstone a single sign-on solution?
MIT Touchstone does provide a single sign-on solution for applications that have been coded and configured to use the system. Within the context of Touchstone enabled applications, users will be able to seamlessly transition between systems without being prompted for additional authentication information.
Why is IS&T introducing Touchstone?
MIT Touchstone introduces some new functionality into the MIT environment. It allows MIT people to use a wider variety of authentication mechanisms, under a variety of conditions, when accessing a number of MIT web applications. As we move forward it will also enable MIT users to access some web applications at other sites without establishing a new account with the other site. In addition to supporting MIT X.509 certificates, people may also use Kerberos, or a username and password over TLS. Web developers at MIT will be able to use federated authentication, so that they can easily determine whether an MIT user, or a user from another authentication authority, has authenticated.
How will MIT Touchstone improve the user experience?
MIT users will be able to use a variety of mechanisms to authenticate to Touchstone enabled web applications. This means that if a user is borrowing a computer or sharing a computer with others, they may choose to use a password instead of installing a certificate. On the other hand, users of the WIN.MIT.EDU or Athena environments may choose to configure their profiles so that native Kerberos is used. This means that the system will automatically authenticate the user to web applications when needed by using the Kerberos ticket obtained when first logging into the workstation. Of course, certificates are still supported so users can continue to use their current procedures.
Why should a department, lab, or center, integrate their web application into Touchstone?
By adopting one technology, the web server essentially outsources the authentication task and ends up enabling the users to authenticate with a much wider variety of authentication mechanisms, including passwords, X.509 certificates, Kerberos, and OpenID. At the same time the web server will avoid the typical risks and concerns associated with consuming passwords. Nor will the system have to have any code to deal with certificates, Kerberos, or OpenID.
Another benefit is that the web application will no longer have to deal with local accounts or special accounts for external users and collaborators. Instead the management of that community can be outsourced to Touchstone's external account management system. By doing so, the users are provided with self-service passwords resets, and the ability to use OpenID if they don't want to use passwords. This means that web applications will have the same interfaces and code paths to deal with authenticated users.
DLCs should also be aware that Touchstone supports federated authentication. This means that as Touchstone establishes relationships with other identity providers, the web applications will be able to interact with an even wider audience if desired. Touchstone has already established a relationship with ProtectNetwork.org and is expected to join the InCommon federation in the near future.
What technologies does Touchstone use?
MIT Touchstone is actually a suite of technologies, including Stanford's WebAuth, Internet 2's Shibboleth, SAML (the Security Assertion Markup Language), and a new account management system for some users outside of the traditional MIT community. The system uses HTTP redirection extensively, and uses other standard web technologies such as SSL.
The primary login server is using Stanford's WebAuth package for initial authentication. The login server will initially support three authentication mechanisms -- MIT X.509 certificates, Kerberos (via the HTTP/SPNEGO protocol), and MIT usernames and passwords over TLS. The WebAuth server is bound to a Shibboleth Identity Provider (IdP). The IdP is then treated as a trusted third party by the web application servers; it makes signed assertions to these applications servers, communicating information about the authenticated users to each web server. From an architectural perspective, this is very similar to the model used by Kerberized applications on campus today, although different protocols are used.
Each web application server that wishes to use Touchstone will have to run the Shibboleth Service Provider (SP) component as well. This required software is available for Apache and IIS web servers; in the future we may also support web servers that use Tomcat without Apache, but that option will not be available initially.
In conjunction with Touchstone, IS&T is creating a new accounts management system intended to support users that are not part of the core MIT community, and thus would not have MIT Kerberos accounts. Accounts managed by this system will identify the user by their external email address. This system will also provide a login server that will accept passwords; additionally, OpenID will be supported as an authentication mechanism. This system will also serve as a Shibboleth Identity Provider (IdP) within the Touchsone environment.
What MIT applications support Touchstone today?
Touchstone is just entering its pilot phase. During the pilot only a small number of applications will be part of Touchstone. The following applications are expected to participate in the pilot:
- Stellar
- Wiki.mit.edu, the MIT Confluence wiki system
- Jira
- Dspace
- Thalia
- Alfresco
How do I integrate my web application with MIT Touchstone?
At its simplest, Touchstone will set one or more environment variables on your Apache or IIS server, including REMOTE_USER. Your application can then use these results. A demonstration application is available which shows the environment variables that do get set, this can be viewed at https://mv-ezproxy-com.ezproxyberklee.flo.org/shib-testenv. Of course, your web server will have to have Shibboleth installed, and the MIT IdP will need to be made aware of your application. To secure the communication between your web application and the MIT IdP you will also need an MIT certificate for your server.
The most important fact for a web developer to consider when integrating Touchstone is that a successful authentication should not apriori grant privileges. Instead the system should examine the identifier of the authenticated user and then determine which privileges to grant to that user. Within Touchstone, authenticated users are not necessarily from MIT; the user may come from anywhere in the world, and may be authenticated via another organization's system. The user identifier will normally look like an email address, e.g. JohnDoe@mit.edu or JohnDoe@example.com.
During the pilot phase of introducing Touchstone on campus, we suggest that you contact the MIT webauth-dev list for some free, individual consulting. As we move into production there will be additional IS&T groups that can help you with your project and we will have more online documentation.
You may also be interested in looking at some of the existing 3rd party Shibboleth documentation. The Shibboleth wiki can be found at https://spaces.internet2.edu/display/SHIB/WebHome and the Shibboleth home page can be found at http://shibboleth.internet2.edu/.
What is federated authentication?
Federated Authentication is the current jargon for outsourcing authentication to multiple known providers. Touchstone will initially support a small number of authentication providers, namely MIT's IS&T and ProtectNetwork. Over time the number of providers will grow. Our intent is to join the InCommon federation which has many members from the U.S. higher-ed community.
Any user can obtain a ProtectNetwork account and use that to authenticate to MIT Touchstone enabled servers. More information about ProtectNetwork can be found at http://protectnetwork.org/.
More information about the InCommon Federation can be found at http://www.incommonfederation.org/. The current list of InCommon Federation participants can be found at http://www.incommonfederation.org/participants.cfm. Note that users from each of these organizations will be able to authenticate to MIT Touchstone systems. Similarly, MIT users will be able to authenticate to some of the web applications at these sites.