joint information systems committee 01/04/2014 | | slide 1 single sign-on solutions nicole harris...
Post on 10-Dec-2015
217 Views
Preview:
TRANSCRIPT
Joint Information Systems Committee 04/18/23 | | Slide 1
Single Sign-On Solutions
Nicole HarrisProgramme Manager – JISC
Joint Information Systems Committee 04/18/23 | slide 2
Thanks
To Brian Gilmore, who provided much of the material for these slides!
JISC report can be found at:
– http://www.jisc.ac.uk/uploaded_documents/CMSS-Gilmore.pdf.
Disclaimer: speaker has no direct experience of implementing SSO solutions!
Questions via the WIKI please:
– federation.pbwiki.com
– Login: shibboleth
Joint Information Systems Committee 04/18/23 | slide 3
Roadmap for Institutions
Joint Information Systems Committee 04/18/23 | slide 4
The Problem
PC Login School Web
Site - LoginCollege Intranet
-Login
Staffmail
-Login
Corporate Services
- LoginATHENS
-LoginWIZARD eFinancials
Other External Services
-Login
ESP
-Login WebCT/
EEMEC
-LoginE-Diary
-Login
etc
Joint Information Systems Committee 04/18/23 | slide 5
What is Single Sign-On?
Used to refer to many different approaches, such as:
– LDAP look-up;
– Shared name / password;
– One sign-on, one database.
Joint Information Systems Committee 04/18/23 | slide 6
Approaches to Single Sign-On
LDAP Look-Up:
– A number of sites claim they have single sign-on by having a single LDAP database which a number of services access.
– Not true SSO as the user is challenged individually by each service.
Shared Name / Password:
– Multiple, separate name/pass stores, possibly with synchronisation;
– User experience may be the same as true SSO;
– But, higher risk, different security levels, compromise one equals compromise on all, possibility of unencrypted passwords in system and/or across the network.
True Single Sign-On:
– There is a single, well protected, store of user names & passwords
– Interrogated by multiple services
– User enters (particular) credentials once, and only once
– Consistent, overall timeout can be applied – how long is an issue!
Joint Information Systems Committee 04/18/23 | slide 7
Do We Want SSO?
If a user is compromised then all the resources open to that user are compromised.
Important to consider a Risk Analysis to determine the balance between usability and security.
Joint Information Systems Committee 04/18/23 | slide 8
Potential Sign-On Model
Sign-on at 3 distinct levels:
– External Network Logon
– ‘Normal’ Internal level
– ‘High Risk’ Areas
Can be other models!
Federated Access Management concentrates on web-based resources, although successful trials with network level access.
Joint Information Systems Committee 04/18/23 | slide 9
Pre-requisites for SSO
You have to know who *all* your users are.
SSO implies automation, therefore ‘special cases’ are a problem:
– Students
– Staff
– Alumni
– ‘Others’
‘Others’ problem area:
– Casual staff visitor to a department
– External Uni PhD students working in your institution
– Medical staff who teach
– Retired staff casually still working in a department
Refers to ‘stage two’ in the JISC Roadmap document!
Joint Information Systems Committee 04/18/23 | slide 10
JISC Web-Based SSO Study - 2004
Note that carried out in 2004 – looking to update.
Systems evaluated:
– CAS (Yale)
– Pubcookie (Washington)
– WebAuth (Stanford)
– Cosign (Michigan)
– KX.509 (Michigan)
Systems not fully evaluated:
– A-Select (not fully)
– Shibboleth as an SSO (not at all)
Joint Information Systems Committee 04/18/23 | slide 11
Overview of Results
Usage Single PtFailure
Support Docum-entation
Availabilityof authentication modules
Shibbolethenabled
CAS Moderate Yes Poor Poor V poor No at time. Yes now!
Pubcookie Widely used
Yes Variable Small amount
Variable Yes now!
Webauth Not Widely used
No Responsive V good Poor No
Cosign Relatively new
No V Responsive
small Good Has been demonstrated
A-Select Moderate inside NL
Yes Responsive, commercially available
Good V Good Yes
Joint Information Systems Committee 04/18/23 | slide 12
JISC Project Experience
CAS: LSIP at Liverpool
– http://www.liv.ac.uk/LSIP/Documentation/ImplementationofYaleCASSSO.html
Pubcookie: IAMSECT at Newcastle
– http://iamsect.ncl.ac.uk/deliverables/docs/shib_install/
Webauth: SPIE at Oxford
– http://spie.oucs.ox.ac.uk/Wiki.jsp?page=Outputs
Cosign: AMIE at Edinburgh
– www.ucs.ed.ac.uk/projects/amie
A-Select:
– No existing UK experience (to the knowledge of JISC and Google)
Joint Information Systems Committee 04/18/23 | slide 13
Edinburgh in Focus
Decided to implement Cosign
– Strong links with kerberos (strong linux presence)
– Liked the support
– No single-point of failure
– But no IIS support (yet)
29 services now covered by SSO
23 services not covered
• 6 of them soon!
• Individual machines
• Departmental services
• Commercial Packages
Takes time and significant buy-in from depts etc
Joint Information Systems Committee 04/18/23 | slide 14
Reflections from Edinburgh
Implementing a SSO system is loved by the users
Which system, original SSO or Shibboleth will depend upon your circumstances
You really do need to know who all your users are!
top related