shibboleth-dev - infocard investigations
Subject: Shibboleth Developers
List archive
- From: Jim Fox <>
- To:
- Subject: infocard investigations
- Date: Thu, 3 Apr 2008 14:06:38 -0700 (PDT)
In Monday's call I said I'd look into some directions
for the infocard plugin. They go something like;
1) Different ways to authenticate.
The extension uses id and password, through JAAS. Other
possibilities include Kerberos, X509 certificate, and
self-issued card.
a. A kerberos authn would give the user's principal name
directly. Not clear to me what percentage of
our population has kerberos on their workstations.
b. A certificate authn gives the IdP the certificate,
from which, if the idp was sufficiently in cahoots
with the issuing CA, it could directly extract the
principal name. This could be a security improvement,
as one could be stored on a USB token and used like a key.
c. The self-issued card gives the IdP the equivalent of
a ePTID. The IdP would have to look up the user's
principal name from a database - could be LDAP.
This might be a convenience to the user, but most
users would likely not protect their self card with
a password - making a lost laptop more likely a lost
identity.
2) Allow infocard authn to the IdP.
The obvious way to do this at Univ of Washington is to
put an infocard-shib SP on our pubcookie servers. That
way all university SSO login can be done with infocard,
not just the shib ones. However, that wouldn't work
with non-apache sso sites.
Another possibility is to allow a shib IdP to request an
infocard login directly, as an alternative to the username
and password form it comes with now.
Jim
- infocard investigations, Jim Fox, 04/03/2008
Archive powered by MHonArc 2.6.16.