Friday I met with Craig Counterman to discuss web authentication.
Notable points of the conversation include:

  • Stellar now uses Apache 2.2. At the moment, webauth only supports
    2.0.x, as far as I know, but I would not worry about this much, as
    we can reasoanbly expect webauth to support 2.2 soon, and at worst
    it is probably trivial to get this working ourselves.
  • Support for non-MIT users is important to Stellar. A typical case
    here is for a faculty member to "sponsor" an account for some
    external user; their requirement is that such a faculty sponsor
    be allowed to add such an account to the system. (In this case
    authentication is done via username/password, whereas MIT users
    typically use certificates). It does not seem that the idea of
    opening up our Kerberos name space to additional users in the "MIT
    community", as we discussed the other day, would be feasible in
    this case.
  • Alumni are another use case for access via username/password.
  • While Craig said that users without Kerberos IDs currently constitute
    about 8-9% of their user base, this is probably misleading, as the
    Kerberos-based number includes all MIT Kerberos users (via a feed
    from the Data Warehouse), and there are obviously many such users
    who have never used the system. (He did not have relevant numbers
    for this handy).
  • He mentioned the UMich "Friend" package as a potential solution.
    This is an add-on to Cosign (though claims to be able to work
    with other SSO packages) which I looked at only briefly – it
    seems to be a bit of a kludge, and not very secure (it is
    email-based).
  • He seems to be familiar with the Yale CAS system, and put in a
    plug for it. I responded (gently, I hope) that we were looking
    elsewhere. (smile)

Following up on another belated response, I am scheduled to meet
Wednesday with Nina Davis-Millis and Alex Brennen of Libraries.

Bob

  • No labels