Towards Secure Single Sign-On
SSSO means different things to different people. We must reach some broadly-acceptable
definition for the project. Components are likely to include:
-
Each user to only need a single username or ID for all systems
-
Having logged in at a workstation, no further need to provide username
and password for other services accessed in the same session
-
Passwords are not good enough, but there is no single replacement. Must
allow for smart-cards of various types, one-time keys, and probably biometrics.
-
Strength of authentication required will be a policy matter and may vary
depending on where the workstation is.
-
Many different platforms to support, and must be transparent to the user:
Unix, DOS, NT, Mainframes, Web servers, Z39.50, LDAP, etc.
-
We cannot mandate a single authority to validate all potential users,
or even a single authority to validate all sub-authorities.
PEM/X.509 propose a `tree of trust', where PGP has a `web of trust':
neither is completely appropriate. We need something closer to a federation
where entities can decide what other entities they will trust for particular
purposes. For large-scale E-Commerce it is likely that the `roots of trust'
will end up being large banks, and for this purpose trading entities may
decide to accept any credential signed by an entity approved by their own bank.
We dont want to go off in a unique direction, as for SSSO to be really
useful it must be interoperable between organisations. This means tracking
work that is going on in the Internet and elsewhere. A few starting points:
-
IETF Working Groups, particularly in the security area
-
W3C (World Wide Web Consortium) working groups
-
Electronic Commerce groups
-
ITU-T
Security Area Director is Jeffrey Schiller <jis@mit.edu> and Marcus
Leech <mleech@nortel.ca>
Relevant Working Groups and documents
include these (some of which are probably competing or overlapping):
Commercial Certificate Issuers
Existing products related to SSSO
Directory Enabled Networks (DEN)
Initiatives and work-in-progress
-
Regaining Single Sign-On at Brunel University
- Netproject open-source
demonstrator project proposal
- The Internet2
Shibboleth project
- inter-institutional authentication and authorisation for access to web pages,
using whatever auth scheme the participating institutions already have
in place.
- MACE
(the Middleware Architecture Committee for Education) is Shibboleth's
parent organisation and has pointers to other useful resources.
- A discussion paper
on the requirements for Sparta: the Second-Generation Access Management System
for UK Further and Higher Education.
- XLM4HE
(X.509, LDAP, Middleware for Higher Education)
Other resources