The four web authentication modules that have the most visibility in
higher-ed are:
PubCookie, originally developed at the University of Washington,
http://www.pubcookie.org/
CoSign, originally developed at the University of Michigan,
http://www.umich.edu/~umweb/software/cosign/
CAS, originally developed at Yale, http://www.ja-sig.org/products/cas/
WebAuth, originally developed at Stanford University,
http://webauth.stanford.edu/
As we talked about the current vision is that IS&T will run an web site
where users will be expected to initially authenticate. Once that has
happened, users will be able to authenticate to other MIT web sites without
additional user interaction.
The web login service should provide users with a variety of mechanisms for
initial authentication. We'd like to support:
- X.509 user certificates
- Username/password protected by SSL
- Kerberos via http/spnego
A related project will be to support a Shibboleth deployment.
Shibboleth from Internet2, http://shibboleth.internet2.edu/
More information about http/spnego can be found at:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-2.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-3.asp
http://modgssapache.sourceforge.net/
One issue we've been faced with when deploying web authentication at MIT is the problem that we have a large community and there are multiple namespaces involved. We share Kerberos credentials with CMU, and a few other Kerberos sites. However there are people who need access to MIT community resources who do not have identities in one of these kerberos realms. This too has been a problem deploying client certificates.
We probably want to design the web authenticaton solution so that it can support multiple namespaces. For example if a website wanted to accept csail identities or identities of one of our partners, we want to be able to do that.