Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

Wiki Markup

<!-- For help with customizing IS&T Web page templates see or contact" -->
<!-- Change text within title tags below to the title of your page -->
<title>IS&T: What is MIT Touchstone?</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<!-- Page Last Modified: 10/20/2008 -->
<!-- Insert "author" "keywords" and "description" meta tags here -->
<!-- For help with meta tags see -->
<meta name="author" content="MIT Touchstone">
<meta name="keywords" content="MIT Touchstone, Touchstone, Shibboleth, web authentication, authentication, developer support 
<meta name="description" content="IS&T: What is MIT Touchstone">

<!-- Please do not modify links to stylesheet or JavaScript -->
<!-- For help with style sheets see -->
<link rel="stylesheet" href="" type="text/css">
<script language="JavaScript" type="text/javascript" src=""></script>
<style type="text/css">
.style2 {color: #FF0000}

<body bgcolor="#FFFFFF" text="#000000" marginwidth="0" marginheight="0" link="#006699" vlink="#666666" alink="#000000">

<!--Begin Information Services and Technology topnav - PLEASE DO NOT EDIT THIS CODE -->
<table width="100%" border="0" cellpadding="0" cellspacing="0" bgcolor="#993333">
<form method="get" action="">
      <!-- Begin image shims for accessibility purposes -->
      <!-- TD has no width set because NS6 is buggy -->
      <td height="73" rowspan="2" align="left" valign="top" nowrap class="islogobg"><a href="#startcontent" accesskey="4"><img src="" width="5" height="73" border="0" alt="Skip to content Accesskey=4"></a><a href="#subnavigation" accesskey="3"><img src="" width="5" height="73" border="0" alt="Skip to sub-navigation Accesskey=3"></a><a href="" accesskey="7"><img src="" width="3" height="73" border="0" alt="View our Accessibility Options"></a></td>
      <!-- End image shims for accessibility purposes -->
      <td width="207" height="73" rowspan="2" align="left" valign="top" class="islogobg"><a href=""><img src="" width="207" height="73" alt="MIT Information Services and Technology" border="0"></a></td>
      <td width="100%" height="43" align="left" valign="middle" nowrap="nowrap" bgcolor="#FFFFFF" class="topnav"><a href="" class="topnav" accesskey="2" title="Access Key: Alt (or control) + 2">Home</a><img src="" width="5" height="8" alt=""> 
        <a href="" class="topnav" title="about IS, and our contact info">About 
        IS&amp;T</a><img src="" width="5" height="8" alt=""> 
        <a href="" class="topnav" accesskey="0" title="Access Key: Alt (or control) + 0">Contact 
        IS&amp;T</a><img src="" width="5" height="8" alt=""> 
        <a href="" class="topnav" accesskey="6" title="Access Key: Alt (or control) + 6">Site 
        Map</a><img src="" width="15" height="8" alt=""></td>
      <td width="50%" height="43" align="right" valign="middle" nowrap="nowrap" bgcolor="#FFFFFF" class="topnav">
<img src="" width="3" height="1" alt="" >

<span class="search">Search</span>
<label for="search" accesskey="s">
<input id="search" name="q" type="text" size="10" class="quicklinks"></label>
<img src="" width="1" height="1" alt="">
<!-- Begin Google search fields -->
<input type="hidden" name="proxyreload" value="1"><input type="hidden" name="site" value="ist"><input type="hidden" name="client" value="ist"><input type="hidden" name="output" value="xml_no_dtd"><input type="hidden" name="proxystylesheet" value=""><label for="go"><input id="go" name="submit" type="image" src="" alt="Go" align="top" ></label>
<a href="" class="topnav" accesskey="5" title="Access Key: Alt (or control) + 5">Advanced Search</a>
<img src="" width="20" height="8" alt=""></td>
      <td height="30" colspan="2" align="right" valign="top" nowrap="nowrap" class="headerbg"><a href="" onMouseOver="img1.src=img1ovr.src;" onMouseOut="img1.src=img1off.src;"><img src="" width="163" height="30" name="img1" border="0" alt="Getting Started"></a><a href="" onMouseOver="img2.src=img2ovr.src;" onMouseOut="img2.src=img2off.src;"><img src="" width="167" height="30" alt="Getting Services by Topic or Alphabetically " border="0" name="img2"></a><a href="" onMouseOver="img3.src=img3ovr.src;" onMouseOut="img3.src=img3off.src;"><img src="" width="137" height="30" alt="Getting Help" border="0" name="img3"></a></td>
<!-- End Information Services and Technology topnav -->

<table width="98%" border="0" cellspacing="0" cellpadding="0">
    <td width="179" align="left" valign="top"> 
      <!--Left Nav -->
      <table width="220" border="0" cellspacing="0" cellpadding="0">
          <td width="408" colspan="3" align="left" valign="top"><br> <img src="" width="194" height="186" alt=""></td>
      <!-- END Left Nav -->
      <a id="subnavigation" name="subnavigation"></a> <br> 
      <table width="100%" border="0" cellspacing="0" cellpadding="0">
          <td width="30"><img src="" ALT="" width="27" height="10"></td>
          <td width="163" valign="top"> 
		  <p><a href="">MIT Touchstone</a></p>
					<table width="160" border="0" cellspacing="0" cellpadding="0">
                    		<td width="10">&nbsp;</td>
                    		 <a href="applications.html">Touchstone enabled applications</a><br />
               				 <a href="">Register for a Collaboration Account (not for MIT people)</a><br />
               				 <!--  <a href="awareness.html">Awareness & Education</a><br /> -->
               				 <!-- <a href="resources.html">Resources</a><br />  -->
               				 <a href="">FAQ</a><br />
							 <a href="">ISDA</a>  </p></td>
                    <p><a href="">Obtaining X.509 certificates for a server</a></p>
					<p><a href="">InCommon</a></p>
                    <p><a href="">Shibboleth at Internet2</a></p>
       				<!-- <p><a href="../sensitive/index.html">Sensitive Data</a></p>  -->
			 		<!--  <p><a href="../related/index.html">Related Services</a></p>  -->
          <td width="27"><img src="" ALT="" width="27" height="10"></td>
          <td colspan="3"><img src="" alt="Related Links" width="206" height="20"></td>
          <td> </td>
            <!--  <p><a href="mailto:">Contact IT Security Support </a></p>  -->
            <p><a href="">Stock Answers</a> </p>
            <p> </p></td>
          <td> </td>
        <td width="30"><img src="" ALT="" width="30" height="1"></td>
 <!-- Main page content -->

    <td align="left" valign="top"> <table width="100%" border="0" cellspacing="0" cellpadding="0">
          <td width="115%"> <a id="startcontent" name="startcontent"></a><a name="top"></a><br> 
            <h1>What is MIT Touchstone?</h1>

              <li><a name="heading8.1" id="heading8.1"></a><strong>What is MIT Touchstone?</strong>
                MIT Touchstone is a new suite of technologies for authenticating a variety of web applications, being introduced by IS&T.
                It is focused on supporting web applications. It is not suitable for authenticating native desktop applications.

              <li><a name="heading8.2" id="heading8.2"></a><strong>Do I need MIT Touchstone?</strong>
              	MIT Touchstone and Shibboleth is of interest if you're supporting a web application on an Apache, Microsoft IIS, or Netscape/iPlanet/Sun web 
              	server that needs to authenticate its users, especially if the population is drawn from not only the faculty, staff, or students of 
              	MIT, but also other educational institutions in the InCommon federation and other users that do not already
              	have an MIT Kerberos account. MIT Touchstone will enable users to login with their MIT Kerberos account
              	or other account, but avoids the need for your application to validate or manage passwords. Various kinds of attribute 
              	information about users can also be provided to your application for personalization or, in some limited cases, authorization.

              <li><a name="heading8.3" id="heading8.3"></a><strong>Is MIT Touchstone a single sign-on solution?</strong>
              MIT Touchstone does provide a single sign-on solution for applications that have been coded and configured to 
              use the system. Within the context of Touchstone enabled applications, users will be able to seamlessly transition 
              between systems without being prompted for additional authentication information.

              <li><a name="heading8.4" id="heading8.4"></a><strong>Why has IS&T introduced Touchstone?</strong>
              MIT Touchstone introduces some new functionality into the MIT environment. It allows MIT people to use 
              a wider variety of authentication mechanisms, under a variety of conditions, when accessing a number of 
              MIT web applications. As we move forward it will also enable MIT users to access some web applications at 
              other sites without establishing a new account with the other site. In addition to supporting MIT X.509 
              certificates, people may also use Kerberos, or a username and password over TLS. Web developers at MIT will 
              be able to use federated authentication, so that they can easily determine whether an MIT user, or a user from 
              another authentication authority, has authenticated.

              <li><a name="heading8.5" id="heading8.5"></a><strong>How will MIT Touchstone improve the user experience?</strong>
				MIT users will be able to use a variety of mechanisms to authenticate to Touchstone enabled web applications. This 
				means that if a user is borrowing a computer or sharing a computer with others, they may choose to use a password 
				instead of installing a certificate. On the other hand, users of the WIN.MIT.EDU or Athena environments may choose 
				to configure their profiles so that native Kerberos is used. This means that the system will automatically 
				authenticate the user to web applications when needed by using the Kerberos ticket obtained when first logging into 
				the workstation. Of course, certificates are still supported so users can continue to use their current procedures.

			  <li><a name="heading8.6" id="heading8.6"></a><strong>Why should a department, lab, or center, integrate their web application into Touchstone?</strong><br>
				By adopting one technology, the web server essentially outsources the authentication task and ends up enabling the users 
				to authenticate with a much wider variety of authentication mechanisms, including passwords, X.509 certificates, Kerberos, 
				and OpenID. At the same time the web server will avoid the typical risks and concerns associated with consuming passwords. 
				Nor will the system have to have any code to deal with certificates, Kerberos, or OpenID.
				Another benefit is that the web application will no longer have to deal with local accounts or special accounts for external 
				users and collaborators. Instead the management of that community can be outsourced to Touchstone's external account management 
				system. By doing so, the users are provided with self-service passwords resets, and the ability to use OpenID if they don't want 
				to use passwords. This means that web applications will have the same interfaces and code paths to deal with authenticated users.
				DLCs should also be aware that Touchstone supports federated authentication. This means that as Touchstone establishes relationships 
				with other identity providers, the web applications will be able to interact with an even wider audience if desired. Touchstone 
				has already established a relationship with and is expected to join the InCommon federation in the near future.
			  <li><a name="heading8.7" id="heading8.7"></a><strong>What technologies does Touchstone use?</strong>
			  MIT Touchstone is actually a suite of technologies, including Stanford's WebAuth, Internet 2's Shibboleth, SAML (the Security 
			  Assertion Markup Language), and a new account management system for some users outside of the traditional MIT community. The system 
			  uses HTTP redirection extensively, and uses other standard web technologies such as SSL.
				The primary login server is using Stanford's WebAuth package for initial authentication.  The login server 
				will initially support three authentication mechanisms -- MIT X.509 certificates, Kerberos (via the HTTP/SPNEGO 
				protocol), and MIT usernames and passwords over TLS. The WebAuth server is bound to a Shibboleth Identity Provider 
				(IdP). The IdP is then treated as a trusted third party by the web application servers; it makes signed assertions 
				to these applications servers, communicating information about the authenticated users to each web server. From an 
				architectural perspective, this is very similar to the model used by Kerberized applications on campus today, although 
				different protocols are used.
				Each web application server that wishes to use Touchstone will have to run the Shibboleth Service Provider (SP) component 
				as well. This required software is available for Apache and IIS web servers; in the future we may also support web servers 
				that use Tomcat without Apache, but that option will not be available initially.
				In conjunction with Touchstone, IS&T is creating a new accounts management system intended to support users that are 
				not part of the core MIT community, and thus would not have MIT Kerberos accounts.  Accounts managed by this system 
				will identify the user by their external email address. This system will also provide a login server that will accept 
				passwords; additionally, OpenID will be supported as an authentication mechanism. This system will also serve as a Shibboleth 
				Identity Provider (IdP) within the Touchsone environment.
			  <li><a name="heading8.8" id="heading8.8"></a><strong>What applications support MIT Touchstone?</strong><br>
			  	A list of applications that support MIT Touchstone can be found <a href="">here</a>.

            <p align="right"><small>[<a href="#top">Back to top</a>]</small></p>
		    <hr size="1" noshade>


<!-- begin Information Services and Technology footer -->
<table border="0" cellspacing="0" cellpadding="0">
    <td height="16" colspan="3"> </td>
  <tr valign="top" align="left">
    <td width="13"> </td>
    <td width="207" valign="middle"><a href=""><img src="" width="62" height="36" alt="MIT" border="0" /></a></td>
    <td><small><a href="" accesskey="2" title="Access Key: Alt (or control) + 2">Home</a>
      | <a href="" title="learn the basics of computing and communications">Getting
      Started</a> | <a href="" title="find information, products, and services">Getting
      Services</a> | <a href="" accesskey="8" title="Access Key: Alt (or control) + 8">Getting
      Help</a> | <a href="" title="about IS, and our contact info">About
      IS&amp;T</a> | <a href="" accesskey="7" title="Access Key: Alt (or control) + 7">Accessibility</a><br />
      Ask a <a href="">technology question</a> or send a <a href="" accesskey="0" title="Access Key: Alt (or control) + 0">comment about this web page.</a><a href="" accesskey="0"></a></small></td>
<br />

<!-- Begin MIT-use only web reporting counter -->
<img src="" width="1" height="1" alt=""> 
<!-- End MIT-use only web reporting counter -->
<!-- end Information Services and Technology footer -->
