What is MIT Touchstone

html: Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

<head>

<title>IS&T: What is MIT Touchstone?</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">



<meta name="author" content="MIT Touchstone">
<meta name="keywords" content="MIT Touchstone, Touchstone, Shibboleth, web authentication, authentication, developer support
">
<meta name="description" content="IS&T: What is MIT Touchstone">

<link rel="stylesheet" href="http://web.mit.edu/ist/styles/isstyles.css" type="text/css">
<script language="JavaScript" type="text/javascript" src="http://web.mit.edu/ist/scripts/rollover.js"></script>
<style type="text/css">

</style>
</head>

<table width="100%" border="0" cellpadding="0" cellspacing="0" bgcolor="#993333">
<form method="get" action="http://search.mit.edu/search">
<tr>


<td height="73" rowspan="2" align="left" valign="top" nowrap class="islogobg"><a href="#startcontent" accesskey="4"><img src="http://web.mit.edu/ist/images/header_logo-5px-shim.gif" width="5" height="73" border="0" alt="Skip to content Accesskey=4"></a><a href="#subnavigation" accesskey="3"><img src="http://web.mit.edu/ist/images/header_logo-5px-shim.gif" width="5" height="73" border="0" alt="Skip to sub-navigation Accesskey=3"></a><a href="http://web.mit.edu/ist/accessibility.html" accesskey="7"><img src="http://web.mit.edu/ist/images/header_logo-3px-shim.gif" width="3" height="73" border="0" alt="View our Accessibility Options"></a></td>

<td width="207" height="73" rowspan="2" align="left" valign="top" class="islogobg"><a href="http://web.mit.edu/ist/index.html"><img src="http://web.mit.edu/ist/images/header_is.gif" width="207" height="73" alt="MIT Information Services and Technology" border="0"></a></td>
<td width="100%" height="43" align="left" valign="middle" nowrap="nowrap" bgcolor="#FFFFFF" class="topnav"><a href="http://web.mit.edu/ist/index.html" class="topnav" accesskey="2" title="Access Key: Alt (or control) + 2">Home</a><img src="http://web.mit.edu/ist/images/spacer.gif" width="5" height="8" alt="">
<a href="http://web.mit.edu/ist/about/index.html" class="topnav" title="about IS, and our contact info">About
IS&T</a><img src="http://web.mit.edu/ist/images/spacer.gif" width="5" height="8" alt="">
<a href="http://web.mit.edu/ist/contact.html" class="topnav" accesskey="0" title="Access Key: Alt (or control) + 0">Contact
IS&T</a><img src="http://web.mit.edu/ist/images/spacer.gif" width="5" height="8" alt="">
<a href="http://web.mit.edu/ist/sitemap.html" class="topnav" accesskey="6" title="Access Key: Alt (or control) + 6">Site
Map</a><img src="http://web.mit.edu/ist/images/spacer.gif" width="15" height="8" alt=""></td>
<td width="50%" height="43" align="right" valign="middle" nowrap="nowrap" bgcolor="#FFFFFF" class="topnav">
<img src="http://web.mit.edu/ist/images/spacer.gif" width="3" height="1" alt="" >

<span class="search">Search</span>
<label for="search" accesskey="s">
<input id="search" name="q" type="text" size="10" class="quicklinks"></label>
<img src="http://web.mit.edu/ist/images/spacer.gif" width="1" height="1" alt="">

<input type="hidden" name="proxyreload" value="1"><input type="hidden" name="site" value="ist"><input type="hidden" name="client" value="ist"><input type="hidden" name="output" value="xml_no_dtd"><input type="hidden" name="proxystylesheet" value="http://web.mit.edu/ist/styles/google-ist2.xsl"><label for="go"><input id="go" name="submit" type="image" src="http://web.mit.edu/ist/images/icon_go.gif" alt="Go" align="top" ></label>
<a href="http://web.mit.edu/ist/search/" class="topnav" accesskey="5" title="Access Key: Alt (or control) + 5">Advanced Search</a>
<img src="http://web.mit.edu/ist/images/spacer.gif" width="20" height="8" alt=""></td>
</tr>
<tr>
<td height="30" colspan="2" align="right" valign="top" nowrap="nowrap" class="headerbg"><a href="http://web.mit.edu/ist/start/index.html" onMouseOver="img1.src=img1ovr.src;" onMouseOut="img1.src=img1off.src;"><img src="http://web.mit.edu/ist/images/header_start_up.gif" width="163" height="30" name="img1" border="0" alt="Getting Started"></a><a href="http://web.mit.edu/ist/services/index.html" onMouseOver="img2.src=img2ovr.src;" onMouseOut="img2.src=img2off.src;"><img src="http://web.mit.edu/ist/images/header_service_up.gif" width="167" height="30" alt="Getting Services by Topic or Alphabetically " border="0" name="img2"></a><a href="http://web.mit.edu/ist/help/index.html" onMouseOver="img3.src=img3ovr.src;" onMouseOut="img3.src=img3off.src;"><img src="http://web.mit.edu/ist/images/header_help_up.gif" width="137" height="30" alt="Getting Help" border="0" name="img3"></a></td>
</tr>
</form>
</table>

<table width="98%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="179" align="left" valign="top">

<table width="220" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="408" colspan="3" align="left" valign="top"><br> <img src="http://web.mit.edu/ist/images/circle_sm_news_image.gif" width="194" height="186" alt=""></td>
</tr>
</table>

<a id="subnavigation" name="subnavigation"></a> <br>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="30"><img src="http://web.mit.edu/ist/images/spacer.gif" ALT="" width="27" height="10"></td>
<td width="163" valign="top">
<p><a href="http://web.mit.edu/touchstone/www/index.html">MIT Touchstone</a></p>
<table width="160" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="10"> </td>
<td><p>
<a href="applications.html">Touchstone enabled applications</a><br />
<a href="https://idp.touchstonenetwork.net/cams/CreateAccount.action">Register for a Collaboration Account (not for MIT people)</a><br />


<a href="http://wikis.mit.edu.mit/confluence/display/TOUCHSTONE/MIT+Touchstone+FAQ">FAQ</a><br />
<a href="http://web.mit.edu/ist/org/isda/">ISDA</a> </p></td>
</tr>
</table>
<p><a href="">Obtaining X.509 certificates for a server</a></p>
<p><a href="http://www.incommonfederation.org/">InCommon</a></p>
<p><a href="http://shibboleth.internet2.edu/">Shibboleth at Internet2</a></p>


<p> </p>
<td width="27"><img src="http://web.mit.edu/ist/images/spacer.gif" ALT="" width="27" height="10"></td>
</tr>
<tr>
<td colspan="3"><img src="http://web.mit.edu/ist/images/title_relatedlinks.gif" alt="Related Links" width="206" height="20"></td>
</tr>
<tr>
<td> </td>
<td>

<p><a href="http://itinfo.mit.edu/answer/">Stock Answers</a> </p>
<p> </p></td>
<td> </td>
</tr>
<td width="30"><img src="http://web.mit.edu/ist/images/spacer.gif" ALT="" width="30" height="1"></td>
</tr>
</table></td>

<td align="left" valign="top"> <table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="115%"> <a id="startcontent" name="startcontent"></a><a name="top"></a><br>
<h1>What is MIT Touchstone?</h1>

<ul>
<li><a name="heading8.1" id="heading8.1"></a><strong>What is MIT Touchstone?</strong>
<p>
MIT Touchstone is a new suite of technologies for authenticating a variety of web applications, being introduced by IS&T.
It is focused on supporting web applications. It is not suitable for authenticating native desktop applications.
</p>
</li>

<li><a name="heading8.2" id="heading8.2"></a><strong>Do I need MIT Touchstone?</strong>
<p>
MIT Touchstone and Shibboleth is of interest if you're supporting a web application on an Apache, Microsoft IIS, or Netscape/iPlanet/Sun web
server that needs to authenticate its users, especially if the population is drawn from not only the faculty, staff, or students of
MIT, but also other educational institutions in the InCommon federation and other users that do not already
have an MIT Kerberos account. MIT Touchstone will enable users to login with their MIT Kerberos account
or other account, but avoids the need for your application to validate or manage passwords. Various kinds of attribute
information about users can also be provided to your application for personalization or, in some limited cases, authorization.
</p>
</li>

<li><a name="heading8.3" id="heading8.3"></a><strong>Is MIT Touchstone a single sign-on solution?</strong>
<p>
MIT Touchstone does provide a single sign-on solution for applications that have been coded and configured to
use the system. Within the context of Touchstone enabled applications, users will be able to seamlessly transition
between systems without being prompted for additional authentication information.
</p>
</li>

<li><a name="heading8.4" id="heading8.4"></a><strong>Why has IS&T introduced Touchstone?</strong>
<p>
MIT Touchstone introduces some new functionality into the MIT environment. It allows MIT people to use
a wider variety of authentication mechanisms, under a variety of conditions, when accessing a number of
MIT web applications. As we move forward it will also enable MIT users to access some web applications at
other sites without establishing a new account with the other site. In addition to supporting MIT X.509
certificates, people may also use Kerberos, or a username and password over TLS. Web developers at MIT will
be able to use federated authentication, so that they can easily determine whether an MIT user, or a user from
another authentication authority, has authenticated.
</p>
</li>

<li><a name="heading8.5" id="heading8.5"></a><strong>How will MIT Touchstone improve the user experience?</strong>
<p>
MIT users will be able to use a variety of mechanisms to authenticate to Touchstone enabled web applications. This
means that if a user is borrowing a computer or sharing a computer with others, they may choose to use a password
instead of installing a certificate. On the other hand, users of the WIN.MIT.EDU or Athena environments may choose
to configure their profiles so that native Kerberos is used. This means that the system will automatically
authenticate the user to web applications when needed by using the Kerberos ticket obtained when first logging into
the workstation. Of course, certificates are still supported so users can continue to use their current procedures.
</p>
</li>

<li><a name="heading8.6" id="heading8.6"></a><strong>Why should a department, lab, or center, integrate their web application into Touchstone?</strong><br>
<p>
By adopting one technology, the web server essentially outsources the authentication task and ends up enabling the users
to authenticate with a much wider variety of authentication mechanisms, including passwords, X.509 certificates, Kerberos,
and OpenID. At the same time the web server will avoid the typical risks and concerns associated with consuming passwords.
Nor will the system have to have any code to deal with certificates, Kerberos, or OpenID.
</p>
<p>
Another benefit is that the web application will no longer have to deal with local accounts or special accounts for external
users and collaborators. Instead the management of that community can be outsourced to Touchstone's external account management
system. By doing so, the users are provided with self-service passwords resets, and the ability to use OpenID if they don't want
to use passwords. This means that web applications will have the same interfaces and code paths to deal with authenticated users.
</p>
<p>
DLCs should also be aware that Touchstone supports federated authentication. This means that as Touchstone establishes relationships
with other identity providers, the web applications will be able to interact with an even wider audience if desired. Touchstone
has already established a relationship with ProtectNetwork.org and is expected to join the InCommon federation in the near future.
</p>
</li>

<li><a name="heading8.7" id="heading8.7"></a><strong>What technologies does Touchstone use?</strong>
<p>
MIT Touchstone is actually a suite of technologies, including Stanford's WebAuth, Internet 2's Shibboleth, SAML (the Security
Assertion Markup Language), and a new account management system for some users outside of the traditional MIT community. The system
uses HTTP redirection extensively, and uses other standard web technologies such as SSL.
</p>
<p>
The primary login server is using Stanford's WebAuth package for initial authentication. The login server
will initially support three authentication mechanisms – MIT X.509 certificates, Kerberos (via the HTTP/SPNEGO
protocol), and MIT usernames and passwords over TLS. The WebAuth server is bound to a Shibboleth Identity Provider
(IdP). The IdP is then treated as a trusted third party by the web application servers; it makes signed assertions
to these applications servers, communicating information about the authenticated users to each web server. From an
architectural perspective, this is very similar to the model used by Kerberized applications on campus today, although
different protocols are used.
Each web application server that wishes to use Touchstone will have to run the Shibboleth Service Provider (SP) component
as well. This required software is available for Apache and IIS web servers; in the future we may also support web servers
that use Tomcat without Apache, but that option will not be available initially.
</p>
<p>
In conjunction with Touchstone, IS&T is creating a new accounts management system intended to support users that are
not part of the core MIT community, and thus would not have MIT Kerberos accounts. Accounts managed by this system
will identify the user by their external email address. This system will also provide a login server that will accept
passwords; additionally, OpenID will be supported as an authentication mechanism. This system will also serve as a Shibboleth
Identity Provider (IdP) within the Touchsone environment.
</p>
</li>

<li><a name="heading8.8" id="heading8.8"></a><strong>What applications support MIT Touchstone?</strong><br>
<p>
A list of applications that support MIT Touchstone can be found <a href="http://mit.edu/touchstone/www/applications.html">here</a>.
</p>
</li>

</ul>

</td>
</tr>
<tr>
<td> </td>
</tr>
</table>
</td>
</tr>
</table>

<table border="0" cellspacing="0" cellpadding="0">
<tr>
<td height="16" colspan="3"> </td>
</tr>
<tr valign="top" align="left">
<td width="13"> </td>
<td width="207" valign="middle"><a href="http://web.mit.edu"><img src="http://web.mit.edu/ist/images/footer_mit_logo.gif" width="62" height="36" alt="MIT" border="0" /></a></td>
<td><small><a href="http://web.mit.edu/ist/index.html" accesskey="2" title="Access Key: Alt (or control) + 2">Home</a>

<a href="http://web.mit.edu/ist/start/index.html" title="learn the basics of computing and communications">Getting
Started</a>

<a href="http://web.mit.edu/ist/services/index.html" title="find information, products, and services">Getting
Services</a>

<a href="http://web.mit.edu/ist/help/index.html" accesskey="8" title="Access Key: Alt (or control) + 8">Getting
Help</a>

<a href="http://web.mit.edu/ist/about/index.html" title="about IS, and our contact info">About
IS&T</a>

<a href="http://web.mit.edu/ist/accessibility.html" accesskey="7" title="Access Key: Alt (or control) + 7">Accessibility</a><br />
Ask a <a href="http://web.mit.edu/ist/help/index.html">technology question</a> or send a <a href="http://web.mit.edu/ist/contact.html" accesskey="0" title="Access Key: Alt (or control) + 0">comment about this web page.</a><a href="http://web.mit.edu/ist/accessibility.html" accesskey="0"></a></small></td>
</tr>
</table>
<br />

<img src="http://counter.mit.edu/tally" width="1" height="1" alt="">


</body>

Child pages

What is MIT Touchstone