| Wiki Markup |
|---|
{html}
<head>
<!-- Change text within title tags below to the title of your page -->
<title>IS&T: MIT Touchstone FAQ</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<!-- Page Last Modified: 10/20/2008 -->
<!-- Insert "author" "keywords" and "description" meta tags here -->
<!-- For help with meta tags see http://web.mit.edu/ist/web/reference/create/metatags.html -->
<meta name="author" content="MIT Touchstone">
<meta name="keywords" content="MIT Touchstone, Touchstone, Shibboleth, web authentication, authentication, developer support
">
<meta name="description" content="IS&T: MIT Touchstone FAQ">
<!-- Please do not modify links to stylesheet or JavaScript -->
<!-- For help with style sheets see http://web.mit.edu/ist/admin/styleguide/stylesheets.html -->
<link rel="stylesheet" href="http://web.mit.edu/ist/styles/isstyles.css" type="text/css">
<script language="JavaScript" type="text/javascript" src="http://web.mit.edu/ist/scripts/rollover.js"></script>
<style type="text/css">
<!--
.style2 {color: #FF0000}
-->
</style>
</head>
<body bgcolor="#FFFFFF" text="#000000" marginwidth="0" marginheight="0" link="#006699" vlink="#666666" alink="#000000">
<!--Begin Information Services and Technology topnav - PLEASE DO NOT EDIT THIS CODE -->
<table width="100%" border="0" cellpadding="0" cellspacing="0" bgcolor="#993333">
<form method="get" action="http://search.mit.edu/search">
<tr>
<!-- Begin image shims for accessibility purposes -->
<!-- TD has no width set because NS6 is buggy -->
<td height="73" rowspan="2" align="left" valign="top" nowrap class="islogobg"><a href="#startcontent" accesskey="4"><img src="http://web.mit.edu/ist/images/header_logo-5px-shim.gif" width="5" height="73" border="0" alt="Skip to content Accesskey=4"></a><a href="#subnavigation" accesskey="3"><img src="http://web.mit.edu/ist/images/header_logo-5px-shim.gif" width="5" height="73" border="0" alt="Skip to sub-navigation Accesskey=3"></a><a href="http://web.mit.edu/ist/accessibility.html" accesskey="7"><img src="http://web.mit.edu/ist/images/header_logo-3px-shim.gif" width="3" height="73" border="0" alt="View our Accessibility Options"></a></td>
<!-- End image shims for accessibility purposes -->
<td width="207" height="73" rowspan="2" align="left" valign="top" class="islogobg"><a href="http://web.mit.edu/ist/index.html"><img src="http://web.mit.edu/ist/images/header_is.gif" width="207" height="73" alt="MIT Information Services and Technology" border="0"></a></td>
<td width="100%" height="43" align="left" valign="middle" nowrap="nowrap" bgcolor="#FFFFFF" class="topnav"><a href="http://web.mit.edu/ist/index.html" class="topnav" accesskey="2" title="Access Key: Alt (or control) + 2">Home</a><img src="http://web.mit.edu/ist/images/spacer.gif" width="5" height="8" alt="">
<a href="http://web.mit.edu/ist/about/index.html" class="topnav" title="about IS, and our contact info">About
IS&T</a><img src="http://web.mit.edu/ist/images/spacer.gif" width="5" height="8" alt="">
<a href="http://web.mit.edu/ist/contact.html" class="topnav" accesskey="0" title="Access Key: Alt (or control) + 0">Contact
IS&T</a><img src="http://web.mit.edu/ist/images/spacer.gif" width="5" height="8" alt="">
<a href="http://web.mit.edu/ist/sitemap.html" class="topnav" accesskey="6" title="Access Key: Alt (or control) + 6">Site
Map</a><img src="http://web.mit.edu/ist/images/spacer.gif" width="15" height="8" alt=""></td>
<td width="50%" height="43" align="right" valign="middle" nowrap="nowrap" bgcolor="#FFFFFF" class="topnav">
<img src="http://web.mit.edu/ist/images/spacer.gif" width="3" height="1" alt="" >
<span class="search">Search</span>
<label for="search" accesskey="s">
<input id="search" name="q" type="text" size="10" class="quicklinks"></label>
<img src="http://web.mit.edu/ist/images/spacer.gif" width="1" height="1" alt="">
<!-- Begin Google search fields -->
<input type="hidden" name="proxyreload" value="1"><input type="hidden" name="site" value="ist"><input type="hidden" name="client" value="ist"><input type="hidden" name="output" value="xml_no_dtd"><input type="hidden" name="proxystylesheet" value="http://web.mit.edu/ist/styles/google-ist2.xsl"><label for="go"><input id="go" name="submit" type="image" src="http://web.mit.edu/ist/images/icon_go.gif" alt="Go" align="top" ></label>
<a href="http://web.mit.edu/ist/search/" class="topnav" accesskey="5" title="Access Key: Alt (or control) + 5">Advanced Search</a>
<img src="http://web.mit.edu/ist/images/spacer.gif" width="20" height="8" alt=""></td>
</tr>
<tr>
<td height="30" colspan="2" align="right" valign="top" nowrap="nowrap" class="headerbg"><a href="http://web.mit.edu/ist/start/index.html" onMouseOver="img1.src=img1ovr.src;" onMouseOut="img1.src=img1off.src;"><img src="http://web.mit.edu/ist/images/header_start_up.gif" width="163" height="30" name="img1" border="0" alt="Getting Started"></a><a href="http://web.mit.edu/ist/services/index.html" onMouseOver="img2.src=img2ovr.src;" onMouseOut="img2.src=img2off.src;"><img src="http://web.mit.edu/ist/images/header_service_up.gif" width="167" height="30" alt="Getting Services by Topic or Alphabetically " border="0" name="img2"></a><a href="http://web.mit.edu/ist/help/index.html" onMouseOver="img3.src=img3ovr.src;" onMouseOut="img3.src=img3off.src;"><img src="http://web.mit.edu/ist/images/header_help_up.gif" width="137" height="30" alt="Getting Help" border="0" name="img3"></a></td>
</tr>
</form>
</table>
<!-- End Information Services and Technology topnav -->
<table width="98%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="179" align="left" valign="top">
<!--Left Nav -->
<table width="220" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="408" colspan="3" align="left" valign="top"><br> <img src="http://web.mit.edu/ist/images/circle_sm_news_image.gif" width="194" height="186" alt=""></td>
</tr>
</table>
<!-- END Left Nav -->
<a id="subnavigation" name="subnavigation"></a> <br>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="30"><img src="http://web.mit.edu/ist/images/spacer.gif" ALT="" width="27" height="10"></td>
<td width="163" valign="top">
<p><a href="http://web.mit.edu/touchstone/www/index.html">MIT Touchstone</a></p>
<table width="160" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="10"> </td>
<td><p>
<a href="applications.html">Touchstone enabled applications</a><br />
<a href="http://idpe-staging.mit.edu/cams/CreateAccount.action">Register for a Collaboration Account (not for MIT people)</a><br />
<!-- <a href="awareness.html">Awareness & Education</a><br /> -->
<!-- <a href="resources.html">Resources</a><br /> -->
FAQ<br />
<a href="http://web.mit.edu/ist/org/isda/">ISDA</a> </p></td>
</tr>
</table>
<p><a href="">Obtaining X.509 certificates for a server</a></p>
<p><a href="http://www.incommonfederation.org/">InCommon</a></p>
<p><a href="http://shibboleth.internet2.edu/">Shibboleth at Internet2</a></p>
<!-- <p><a href="../sensitive/index.html">Sensitive Data</a></p> -->
<!-- <p><a href="../related/index.html">Related Services</a></p> -->
<p> </p>
<td width="27"><img src="http://web.mit.edu/ist/images/spacer.gif" ALT="" width="27" height="10"></td>
</tr>
<tr>
<td colspan="3"><img src="http://web.mit.edu/ist/images/title_relatedlinks.gif" alt="Related Links" width="206" height="20"></td>
</tr>
<tr>
<td> </td>
<td>
<!-- <p><a href="mailto: security@mit.edu">Contact IT Security Support </a></p> -->
<p><a href="http://itinfo.mit.edu/answer/">Stock Answers</a> </p>
<p> </p></td>
<td> </td>
</tr>
<td width="30"><img src="http://web.mit.edu/ist/images/spacer.gif" ALT="" width="30" height="1"></td>
</tr>
</table></td>
<!-- Main page content -->
<td align="left" valign="top"> <table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="115%"> <a id="startcontent" name="startcontent"></a><a name="top"></a><br>
<h1>MIT Touchstone FAQ</h1>
<p><small><em>On this page: </em></small></p>
<!-- <p><small><strong>Questions</strong>: <a href="#heading1">General</a>
| <a href="#heading2">Using Touchstone</a> |
<a href="#heading3">Collaboration Accounts</a> |
<a href="#heading4">Adding an application</a> |
<a href="#heading5"></a> |
<a href="#heading6"></a> |
<a href="#heading7"></a></small></p> -->
<p><small><strong>Answers</strong>: <a href="#heading8">General</a>
| <a href="#heading9">Using Touchstone</a>
| <a href="#heading10">Accounts: MIT versus Collaboration Account</a>
| <a href="#heading11">Developer Support</a>
| <a href="#heading12">System Integrator questions about Shibboleth</a>
| <a href="#heading13">Attribute release policies and privacy</a>
<!-- | <a href="#heading13"></a> -->
<!-- | <a href="#heading14"></a> -->
</small></p>
<hr size="1" noshade>
<h4>Questions:</h4>
<p>These are some commonly asked questions regarding MIT Touchstone. If you don't find what you need on this page,
IS&T maintains an online database called <a href="http://itinfo.mit.edu/answer/">Stock Answers</a>. </p>
<hr size="1" noshade>
<h4> <strong><a name="heading1" id="heading1"></a></strong>General</h4>
<ul>
<li><a href="#heading8.1">What is MIT Touchstone?</a></li>
<li><a href="#heading8.2">Do I need MIT Touchstone?</a></li>
<li><a href="#heading8.3">Is MIT Touchstone a single sign-on solution?</a></li>
<li><a href="#heading8.4">Why has IS&T introduced Touchstone?</a></li>
<li><a href="#heading8.5">How will MIT Touchstone improve the user experience?</a></li>
<li><a href="#heading8.6">Why should a department, lab, or center, integrate their web application into Touchstone?</a></li>
<li><a href="#heading8.7">What technologies does Touchstone use?</a></li>
<li><a href="#heading8.8">What applications support MIT Touchstone?</a></li>
</ul>
<hr size="1" noshade>
<h4> <strong><a name="heading2" id="heading2"></a></strong>Using Touchstone</h4>
<ul>
<li><a href="#heading9.1">Does MIT Touchstone or Shibboleth provide authentication for native client applications?</a></li>
<li><a href="#heading9.2">Can I use MIT Touchstone or Shibboleth to secure SOAP based web services?</a></li>
<li><a href="#heading9.4">What browsers are supported by MIT Touchstone / Shibboleth?</a></li>
<li><a href="#heading9.4">Does MIT Touchstone or Shibboleth use cookies?</a></li>
<li><a href="#heading9.5">Is it possible to configure Shibboleth in such a
way that it writes the cookies as URL parameters?</a></li>
<li><a href="#heading9.6">Does MIT Touchstone or Shibboleth require Javascript?</a></li>
<li><a href="#heading9.7">Can I use wget to access a web page protected by Shibboleth or MIT Touchstone?</a></li>
<li><a href="#heading9.8">How do I configure my browser to use Kerberos tickets to authenticate to MIT Touchstone?</a></li>
<li><a href="#heading9.9">What about privacy?</a></li>
</ul>
<p align="right"><small>[<a href="#top">Back to top</a>]</small></p>
<hr size="1" noshade>
<h4> <strong><a name="heading3" id="heading3"></a></strong>Accounts: MIT versus Collaboration Account</h4>
<ul>
<li><a href="#heading10.1">What is an identity provider?</a></li>
<li><a href="#heading10.2">What is a WAYF?</a></li>
<li><a href="#heading10.3">What is federated identity and federated authentication?</a></li>
<li><a href="#heading10.4">How do I know if I have an MIT account?</a></li>
<li><a href="#heading10.5">How do I obtain an MIT account?</a></li>
<li><a href="#heading10.6">What is a Collaboration Account?</a></li>
<li><a href="#heading10.7">What is CAMS?</a></li>
<li><a href="#heading10.8">How do I obtain a Collaboration Account?</a></li>
<li><a href="#heading10.8.1">How do I edit my Collaboration Account profile and manage my account?</a></li>
<li><a href="#heading10.9">Can I create Collaboration Accounts for others?</a></li>
<li><a href="#heading10.10">What is InCommon or the InCommon Federation?</a></li>
<li><a href="#heading10.11">Can an MIT email address be used to register a Collaboration Account?</a></li>
<li><a href="#heading10.12">I have an account with an InCommon participant, can I still register for a Collaboration Account?</a></li>
<li><a href="#heading10.13">Can I use OpenID to authenticate to MIT Touchstone enabled applications?</a></li>
</ul>
<p align="right"><small>[<a href="#top">Back to top</a>]</small></p>
<hr size="1" noshade>
<h4> <strong><a name="heading5" id="heading5"></a></strong>Developer Support</h4>
<ul>
<li><a href="#heading11.1">If I am a developer interested in enabling an application,
do I need to know about all of the MIT Touchstone technologies? Or do I just need to know about Shibboleth?</a></li>
<li><a href="#heading11.2">How can I get some help getting started?</a></li>
<li><a href="#heading11.3">What platforms and environments are supported?</a></li>
<li><a href="#heading11.4">Do I need to register or sign up with IS&T to have my application use Shibboleth or MIT Touchstone?</a></li>
<li><a href="#heading11.5">What sort of user identifiers and attributes are available to my applications?</a></li>
</ul>
<p align="right"><small>[<a href="#top">Back to top</a>]</small></p>
<hr size="1" noshade>
<h4> <strong><a name="heading4" id="heading4"></a></strong>System Integrator questions about Shibboleth</h4>
<ul>
<li><a href="#heading12.1">How long do user sessions last and is there an inactivity timeout?</a></li>
<li><a href="#heading12.2">Does Shibboleth support logout? </a></li>
<li><a href="#heading12.3">Can Shibboleth be set up without a WAYF? </a></li>
<li><a href="#heading12.4">How do I authorize/limit access to my application using Shibboleth?</a></li>
<li><a href="#heading12.5"></a></li>
</ul>
<p align="right"><small>[<a href="#top">Back to top</a>]</small></p>
<hr size="1" noshade>
<h4> <strong><a name="heading6" id="heading6"></a></strong>Attribute release policies and privacy</h4>
<ul>
<li><a href="#heading13.1">What is an attribute release policy?</a></li>
<li><a href="#heading13.2">Can a user restrict what information about them gets released?</a></li>
<li><a href="#heading13.3">What attributes do you release about MIT users?</a></li>
<li><a href="#heading13.4">What attributes do you release about people with Collaboration Accounts?</a></li>
</ul>
<p align="right"><small>[<a href="#top">Back to top</a>]</small></p>
<hr size="1" noshade>
<hr size="1" noshade>
<h4>Answers:</h4>
<hr size="1" noshade>
<h4> <strong><a name="heading8" id="heading8"></a></strong>General</h4>
<ul>
<li><a name="heading8.1" id="heading8.1"></a><strong>What is MIT Touchstone?</strong>
<p>
MIT Touchstone is a new suite of technologies for authenticating a variety of web applications, being introduced by IS&T.
It is focused on supporting web applications. It is not suitable for authenticating native desktop applications.
</p>
</li>
<li><a name="heading8.2" id="heading8.2"></a><strong>Do I need MIT Touchstone?</strong>
<p>
MIT Touchstone and Shibboleth is of interest if you're supporting a web application on an Apache, Microsoft IIS, or Netscape/iPlanet/Sun web
server that needs to authenticate its users, especially if the population is drawn from not only the faculty, staff, or students of
MIT, but also other educational institutions in the InCommon federation and other users that do not already
have an MIT Kerberos account. MIT Touchstone will enable users to login with their MIT Kerberos account
or other account, but avoids the need for your application to validate or manage passwords. Various kinds of attribute
information about users can also be provided to your application for personalization or, in some limited cases, authorization.
</p>
</li>
<li><a name="heading8.3" id="heading8.3"></a><strong>Is MIT Touchstone a single sign-on solution?</strong>
<p>
MIT Touchstone does provide a single sign-on solution for applications that have been coded and configured to
use the system. Within the context of Touchstone enabled applications, users will be able to seamlessly transition
between systems without being prompted for additional authentication information.
</p>
</li>
<li><a name="heading8.4" id="heading8.4"></a><strong>Why has IS&T introduced Touchstone?</strong>
<p>
MIT Touchstone introduces some new functionality into the MIT environment. It allows MIT people to use
a wider variety of authentication mechanisms, under a variety of conditions, when accessing a number of
MIT web applications. As we move forward it will also enable MIT users to access some web applications at
other sites without establishing a new account with the other site. In addition to supporting MIT X.509
certificates, people may also use Kerberos, or a username and password over TLS. Web developers at MIT will
be able to use federated authentication, so that they can easily determine whether an MIT user, or a user from
another authentication authority, has authenticated.
</p>
</li>
<li><a name="heading8.5" id="heading8.5"></a><strong>How will MIT Touchstone improve the user experience?</strong>
<p>
MIT users will be able to use a variety of mechanisms to authenticate to Touchstone enabled web applications. This
means that if a user is borrowing a computer or sharing a computer with others, they may choose to use a password
instead of installing a certificate. On the other hand, users of the WIN.MIT.EDU or Athena environments may choose
to configure their profiles so that native Kerberos is used. This means that the system will automatically
authenticate the user to web applications when needed by using the Kerberos ticket obtained when first logging into
the workstation. Of course, certificates are still supported so users can continue to use their current procedures.
</p>
</li>
<li><a name="heading8.6" id="heading8.6"></a><strong>Why should a department, lab, or center, integrate their web application into Touchstone?</strong><br>
<p>
By adopting one technology, the web server essentially outsources the authentication task and ends up enabling the users
to authenticate with a much wider variety of authentication mechanisms, including passwords, X.509 certificates, Kerberos,
and OpenID. At the same time the web server will avoid the typical risks and concerns associated with consuming passwords.
Nor will the system have to have any code to deal with certificates, Kerberos, or OpenID.
</p>
<p>
Another benefit is that the web application will no longer have to deal with local accounts or special accounts for external
users and collaborators. Instead the management of that community can be outsourced to Touchstone's external account management
system. By doing so, the users are provided with self-service passwords resets, and the ability to use OpenID if they don't want
to use passwords. This means that web applications will have the same interfaces and code paths to deal with authenticated users.
</p>
<p>
DLCs should also be aware that Touchstone supports federated authentication. This means that as Touchstone establishes relationships
with other identity providers, the web applications will be able to interact with an even wider audience if desired. Touchstone
has already established a relationship with ProtectNetwork.org and is expected to join the InCommon federation in the near future.
</p>
</li>
<li><a name="heading8.7" id="heading8.7"></a><strong>What technologies does Touchstone use?</strong>
<p>
MIT Touchstone is actually a suite of technologies, including Stanford's WebAuth, Internet 2's Shibboleth, SAML (the Security
Assertion Markup Language), and a new account management system for some users outside of the traditional MIT community. The system
uses HTTP redirection extensively, and uses other standard web technologies such as SSL.
</p>
<p>
The primary login server is using Stanford's WebAuth package for initial authentication. The login server
will initially support three authentication mechanisms -- MIT X.509 certificates, Kerberos (via the HTTP/SPNEGO
protocol), and MIT usernames and passwords over TLS. The WebAuth server is bound to a Shibboleth Identity Provider
(IdP). The IdP is then treated as a trusted third party by the web application servers; it makes signed assertions
to these applications servers, communicating information about the authenticated users to each web server. From an
architectural perspective, this is very similar to the model used by Kerberized applications on campus today, although
different protocols are used.
Each web application server that wishes to use Touchstone will have to run the Shibboleth Service Provider (SP) component
as well. This required software is available for Apache and IIS web servers; in the future we may also support web servers
that use Tomcat without Apache, but that option will not be available initially.
</p>
<p>
In conjunction with Touchstone, IS&T is creating a new accounts management system intended to support users that are
not part of the core MIT community, and thus would not have MIT Kerberos accounts. Accounts managed by this system
will identify the user by their external email address. This system will also provide a login server that will accept
passwords; additionally, OpenID will be supported as an authentication mechanism. This system will also serve as a Shibboleth
Identity Provider (IdP) within the Touchsone environment.
</p>
</li>
<li><a name="heading8.8" id="heading8.8"></a><strong>What applications support MIT Touchstone?</strong><br>
<p>
A list of applications that support MIT Touchstone can be found <a href="http://mit.edu/touchstone/www/applications.html">here</a>.
</p>
</li>
</ul>
<p align="right"><small>[<a href="#top">Back to top</a>]</small></p>
<hr size="1" noshade>
<h4> <strong><a name="heading9" id="heading9"></a></strong>Using Touchstone</h4>
<ul>
<li><strong><a name="heading9.1" id="heading9.1"></a>Does MIT Touchstone or Shibboleth provide authentication for native client applications?</strong>
<p>
No. MIT Touchstone and Shibboleth are designed to support web applications and use from a browser.
</p>
</li>
<li><strong><a name="heading9.2" id="heading9.2"></a>Can I use MIT Touchstone or Shibboleth to secure SOAP based web services?</strong>
<p>
No, not at this time. Shibboleth and MIT Touchstone are intended for use from within a web browser.
</p>
</li>
<li><strong><a name="heading9.3" id="heading9.3"></a>What browsers are supported by MIT Touchstone / Shibboleth?</strong>
<p>
We're not currently aware of any browsers that do not work with Shibboleth or MIT Touchstone. Functional testing has been performed
using IE6, IE7, Safari on Mac OSX, Firefox 2.x and 3.x on Linux and Windows. Some mobile browsers have been tested as well.
</p>
<p>
If you are aware of a browser that does not work well with Shibboleth or the MIT Touchstone login pages please
contact the MIT computing help desk.
</p>
</li>
<li><strong><a name="heading9.4" id="heading9.4"></a>Does MIT Touchstone or Shibboleth use cookies?</strong>
<p>
Yes, you must have cookies enabled on your browser in order to use Shibboleth and MIT Touchstone.
</p>
<p>
There are multiple cookies stored for multiple domains.
</p>
<p>
One cookie will identify the login site of your IdP. The cookie stores a session ID that is needed to
know whether you are already authenticated or not. This cookie is required. This is a session cookie.
</p>
<p>
Another cookie will identify the web server hosting the resource you want to access. This cookie stores a
session ID and potentially the URL that you requested before being authenticated. This cookie is required. This is
a session cookie.
</p>
<p>
Depending on options that you have chosen, some persistent cookies may be stored. For example, if you have selected the
option to always use existing Kerberos tickets to login, or if you have selected the option to always use certificates
to login. The WAYF server may also store a persistent cookie so that you will not always have to reselect which IdP to use.
</p>
</li>
<li><strong><a name="heading9.5" id="heading9.5"></a>Is it possible to configure Shibboleth in such a
way that it writes the cookies as URL parameters? </strong>
<p>
No. At this time (October 2008) Internet 2 has not indicated that they are interested in supporting this feature in Shibboleth.
</p>
</li>
<li><strong><a name="heading9.6" id="heading9.6"></a>Does MIT Touchstone or Shibboleth require Javascript? </strong>
<p>
Although MIT Touchstone assumes Javascript is enabled, and uses it, it is still possible to authenticate if you do not have
Javascript enabled. Instead of being automatically redirected back to the application that you are trying to access, you will have to
use a button to complete a form post.
</p>
<p>
Note that some applications that use MIT Touchstone or Shibboleth for authentication may have their own internal requirements that
require Javascript in order for the application to work.
</p>
</li>
<li><strong><a name="heading9.7" id="heading9.7"></a>Can I use WGET to access a web page protected by Shibboleth or MIT Touchstone?</strong>
<p>
It should be possible to use WGET to access Shibboleth or MIT Touchstone protected pages. However, at this time we do not have specific
documentation of how you would do this. More <a href="http://en.wikipedia.org/wiki/Wget">information on using wget can be found here</a>.
</p>
</li>
<li><strong><a name="heading9.8" id="heading9.8"></a>How do I configure my browser to use Kerberos tickets to authenticate to MIT Touchstone?</strong>
<p>
FireFox, IE, and Safari each offer some support for using existing Kerberos tickets to authentication to the login server
used by the MIT user community. FireFox and IE each require the user to perform some
<a href="https://idp.mit.edu/spnego-help.html">browser configuration to enable the use of Kerberos authentication</a>.
</p>
</li>
<li><strong><a name="heading9.9" id="heading9.9"></a>What about privacy?</strong>
<p>
Shibboleth software was designed with privacy in mind. Please see the section on "Attribute release policies and privacy"
for more details.
</p>
</li>
</ul>
<p align="right"><small>[<a href="#top">Back to top</a>]</small></p>
<hr size="1" noshade>
<h4> <strong><a name="heading10" id="heading10"></a></strong>Accounts: MIT versus Collaboration Account</h4>
<ul>
<li>
<strong><a name="heading10.1" id="heading10.1"></a>What is an identity provider?</strong><BR>
<p>
An 'Identity Provider' (sometimes abbreviated 'IdP') is a service hosted by an organization which publishes
electronic identity information for users that have an account, or some relationship, with the organization.
</p>
<p>
An 'Identity Provider' acts as a trusted third party when a user attempts to access an application. The application
can communicate with the IdP to determine if the user is authenticated and potentially obtain further information
about the user.
</p>
<p>
As part of MIT Touchstone, MIT operates two IdPs. One of the IdPs serves all of the people that have an MIT Kerberos username.
The other IdP serves people that have a Collaboration Account, hosted by TouchstoneNetwork.net.
</p>
</li>
<li><strong><a name="heading10.2" id="heading10.2"></a>What is a WAYF?</strong><br>
<p>
WAYF stands for "Where Are You From". When an application is willing to communicate multiple identity providers, or a federation
of identity providers, it needs to determine which IdP should be used for a specific user. The WAYF provides this ability, typically by
asking the user to indicate which organization has his or her account information.
</p>
<p>
MIT Touchstone operates one WAYF. Using that WAYF people may select the MIT IdP, the TouchstoneNetwork IdP, or they may select
a third choice which will bring them to the WAYF operated by the InCommon Federation.
</p>
</li>
<li><strong><a name="heading10.3" id="heading10.3"></a>
What is federated identity and federated authentication?</strong>
<p>
Identity Federation provides users access to applications across the Internet without the need for
multiple login credentials or accounts.
</p>
<p>
Federated authentication allows organizations to share credentials and attributes for authentication
and authorization, reducing the need to maintain user profiles in multiple systems.
</p>
</li>
<li><strong><a name="heading10.4" id="heading10.4"></a>
How do I know if I have an MIT account?
</strong>
<p>
The term "MIT account" means that you have an MIT Kerberos account. If you are a registered student, or a full
time employee, you have an MIT account. Many other people also have an MIT account. On prerequisite for having
an MIT account is to have an MIT ID number.
</p>
<p>
An MIT account comes with some default entitlements. It means that you also have an MIT email address. It means that
you can obtain an MIT X.509 certificate. It means that you have some file system quota assigned to you.
</p>
</li>
<li><strong><a name="heading10.5" id="heading10.5"></a>
How do I obtain an MIT account?</strong>
<p>
If you are a registered <a href="http://web.mit.edu/accounts/www/getaccount.html">student</a>,
or a full time <a href="http://web.mit.edu/ist/start/newhires/">employee</a>, you have an MIT account
or are eligible to register for one if you have not already done so.
</p>
<p>
Any MIT faculty or staff member can <a href="http://itinfo.mit.edu/answer.php?id=1073">sponsor MIT guest accounts</a>.
</p>
</li>
<li><strong><a name="heading10.6" id="heading10.6"></a>
What is a Collaboration Account?</strong>
<p>
A Collaboration Account is not a traditional MIT account. MIT Touchstone created a new accounts management system in order to support
people that are not part of the traditional MIT user community, and do not have an account with a member of the InCommon Federation.
For lack of a better term we call these accounts Collaboration Accounts.
</p>
<p>
The Collaboration Accounts management system allows nearly anyone in the world to self-register for an account at any time.
</p>
<p>
A Collaboration Account does not grant the user an MIT email address. It does not grant the user any file system quota. It does
not grant the user any default entitlements. However, web applications that are Touchstone enabled, may support authentication
by people that have a Collaboration Account.
</p>
</li>
<li><strong><a name="heading10.7" id="heading10.7"></a>
What is CAMS?</strong>
<p>
CAMS stands for Collaboration Accounts Management System. It is one of services that makes up MIT Touchstone.
</p>
<p>
If an MIT web application needs to support users that do not have an MIT Kerberos account, then the application should
be configured to enable users with Collaboration Accounts to authenticate to it.
</p>
</li>
<li><strong><a name="heading10.8" id="heading10.8"></a>
How do I obtain a Collaboration Account?</strong>
<p>
You can register for a Collaboration Account <a href="http://idp.touchstonenetwork.net/cams/CreateAccount.action">here</a>.
</p>
<p>
Please note that MIT email address cannot typically be used to register for a Collaboration Account.
</p>
</li>
<li><strong><a name="heading10.8.1" id="heading10.8.1"></a>
How do I edit my Collaboration Account profile and manage my account?</strong>
<p>
You can edit your Collaboration Account profile, change your name, manage your account or delete your account <a href="http://idp.touchstonenetwork.net/cams/UserProfile.action">here</a>.
</p>
<p>
Please note that MIT email address cannot typically be used to register for a Collaboration Account.
</p>
</li>
<li><strong><a name="heading10.9" id="heading10.9"></a>
Can I create Collaboration Accounts for others?</strong>
<p>
Most users do not have this ability. However, if you have a business need, this privilege and responsibility can be granted to you.
</p>
<p>
The system also has support for creating accounts in batches. Email will be sent to each one of the external users telling them how
to complete the account registration process.
</p>
</li>
<li><strong><a name="heading10.10" id="heading10.10"></a>
What is InCommon or the InCommon Federation?</strong>
<p>
InCommon's goal is to eliminate the need for researchers, students, and educators to maintain multiple passwords
and usernames. Online service providers no longer need to maintain user accounts. Identity providers manage the
levels of their users' privacy and information exchange. InCommon uses SAML-based authentication and authorization
systems (such as Shibboleth®) to enable scalable, trusted collaborations among its community of participants.
</p>
<p>
The mission of the <a href="http://www.incommonfederation.org/">InCommon Federation</a> is to create and support a
common framework for trustworthy
shared management of access to on-line resources in support of education and research in the United
States. To achieve its mission, InCommon will facilitate development of a community-based common trust
fabric sufficient to enable participants to make appropriate decisions about access control information
provided to them by other participants. InCommon is intended to enable production-level end-user access to a
wide variety of protected resources. InCommon uses standards-based, SAML-compliant Shibboleth® as its
federating system.
</p>
</li>
<li><strong><a name="heading10.11" id="heading10.11"></a>
Can an MIT email address be used to register a Collaboration Account?
</strong>
<p>
Email addresses ending in "@mit.edu" cannot be used to register for a Collaboration Account. Users with these accounts can
instead authenticate using the normal MIT Identity Provider (idp.mit.edu).
</p>
<p>
MIT departmental address, e.g. "@example.mit.edu", can be used to register for a Collaboration Account. However,
users are discouraged from doing so. The registration process will warn the user that they should probably use the normal
MIT Identity Provider. Please note that Collaboration Accounts are likely to have less privileged access to many applications,
and access to fewer applications in general.
</p>
</li>
<li><strong><a name="heading10.12" id="heading10.12"></a>
I have an account with an InCommon participant, can I still register for a Collaboration Account?
</strong>
<p>
Yes. However, the registration process will normally warn you that you may not need a Collaboration Account and that your
account from another InCommon Federation participant may meet your needs just as well.
</p>
</li>
<li><strong><a name="heading10.13" id="heading10.13"></a>
Can I use OpenID to authenticate to MIT Touchstone enabled applications?
</strong>
<p>
In many cases yet, but there are several caveats. First, Touchstone enabled applications don't use OpenID natively. Instead
they use Shibboleth as the native authentication mechanism. The Collaboration Accounts management system will let registered users
associate an OpenID identifier with their Collaboration Account.
</p>
<p>
Once a user has associated an OpenID identifier with their Collboration Account, then they can use OpenID to authenticate to the
IdP at idp.touchstonenetwork.net. That IdP is normally accessed by selecting "b. Touchstone Collaboration Account" choice at
the WAYF server.
</p>
<p>
Not all OpenID providers are usable at this time. At the moment the system does not fully support the OpenID 2.0 specification.
This means that OpenID's from Yahoo.com are not registerable or usable at this time. If we become aware of other OpenID domains
that do not work, we will normally configure the accounts management system to issue a warning if you try to register an
OpenID from one of the "problem" domains.
</p>
</li>
</ul>
<p align="right"><small>[<a href="#top">Back to top</a>]</small></p>
<hr size="1" noshade>
<h4> <strong><a name="heading11" id="heading11"></a></strong>Developer Support</h4>
<ul>
<li>
<strong><a name="heading11.1" id="heading11.1"></a>
If I am a developer interested in enabling an application, do I need to know about all of the MIT Touchstone technologies?
Or do I just need to know about Shibboleth?
</strong>
<p>
Most of the technologies and systems that are implemented and used by MIT Touchstone are abstracted away from the individual
web application developer or system administrator. However, Shibboleth must be used by individual web applications. Developers,
system integrators, and system administrators responsible for web applications should become familiar with Shibboleth.
</p>
</li>
<li>
<strong><a name="heading11.2" id="heading11.2"></a>
How can I get some help getting started?
</strong>
<p>
Send mail to touchstone-support. This will create an MIT Request Tracker case with the group that is currently supporting
MIT Touchstone.
<p>
</li>
<li>
<strong><a name="heading11.3" id="heading11.3"></a>
What platforms and environments are supported?
</strong>
<p>
MIT is currently supporting Shibboleth 1.3. Shibboleth 2.1 is the latest officially supported SP release. We will soon be working
with selected customers on Shibboleth 2.1. Both releases are supported for use with Apache, IIS, and Sun/iPlanet/Netscape web servers,
and its range of officially supported platforms includes Windows NT4/2000/XP/2003/2008, Solaris, Mac OS X, and various flavors of Red Hat
Linux. Other Unix platforms that support the GNU C/C++ compiler collection may also work, but are not supported officially.
<p>
</li>
<li>
<strong><a name="heading11.4" id="heading11.4"></a>
Do I need to register or sign up with IS&T to have my application use Shibboleth or MIT Touchstone?
</strong>
<p>
Yes and no. It's possible to only consume the authentication messages produced by Shibboleth, but a very
minimal set of information about the user will be available to your application, generally only the
<a href="">eduPersonScopedAffiliation</a> attribute, and not including any unique or personally-identifying information.
</p>
<p>
In other words, without registration, you'll know that some user has authenticated, but you won't know
who that user is.
</p>
<p>
This protects user privacy by insuring that only services that are known and authorized to receive
personal information can do so. To receive additional information, applications must be registered with IS&T so
that the IdP will know what information to release to the application. A server certificate is also needed to
authenticate the application to the IdP.
<p>If
you're interested in registering your services, you will be asked to describe your application(s) and how you
intend to handle and protect the personal information you receive.
The process is outlined <a href="">here</a>.
</p>
</li>
</ul>
<p align="right"><small>[<a href="#top">Back to top</a>]</small></p>
<hr size="1" noshade>
<h4> <strong><a name="heading12" id="heading12"></a></strong>System Integrator questions about Shibboleth</h4>
<ul>
<li>
<strong><a name="heading12.1" id="heading12.1"></a>
How long do user sessions last and is there an inactivity timeout?
</strong>
<p>
The Shibboleth software allows you to control the time elapsed before sessions with your applications
expire. A timeout based on inactivity with your applications can also be enforced. However, this is distinct
from the lifetime of the overall session that enables single sign-on, and in most cases using a local
timeout that is shorter than the overall period is not useful. The overall session lifetime enforced by
the MIT identity provider is ten (10) hours. Other identity providers will likely have different policies.
</p>
</li>
<li>
<strong><a name="heading12.2" id="heading12.2"></a>
Does Shibboleth support logout?
</strong>
<p>
No, not at this time. It will likely be supported in a future release in a best effort fashion,
but it should not be relied upon. Instead users should logout of their desktop or
at least exit the browser in order to logout. This is the same as we currently recommend for users of personal
X.509 certificates.
</p>
</li>
<li>
<strong><a name="heading12.3" id="heading12.3"></a>
Can Shibboleth be set up without a WAYF?
</strong>
<p>
Yes. This is reasonable if your application will only support one user community, or one identity provider.
However, we recommend that strongly consider supporting a wider user community if it makes any sense for
your application or business function.
</p>
<p>
It is also possible to set up your application without using a WAYF even if you are supporting the use of more
than one identity provider. Sometimes an application wants to tightly control its own look and feel. In such cases the
application can function as if it were its own WAYF. Although this is possible we generally recommend that
systems use the WAYF. We feel that consistency in appearence, across multiple applications, for this aspect of authentication
is desirable.
</p>
</li>
</ul>
<p align="right"><small>[<a href="#top">Back to top</a>]</small></p>
<hr size="1" noshade>
<h4> <strong><a name="heading13" id="heading13"></a></strong>Attribute release policies and privacy</h4>
<ul>
<li>
<strong><a name="heading13.1" id="heading13.1"></a>
What is an attribute release policy?
</strong>
<p>
</p>
</li>
<li>
<strong><a name="heading13.2" id="heading13.2"></a>
Can a user restrict what information about them gets released?
</strong>
<p>
</p>
</li>
<li>
<strong><a name="heading13.3" id="heading13.3"></a>
What attributes do you release about MIT users?
</strong>
<p>
</p>
</li>
<li>
<strong><a name="heading13.4" id="heading13.4"></a>
What attributes do you release about people with Collaboration Accounts?
</strong>
<p>
</p>
</li>
</ul>
<p align="right"><small>[<a href="#top">Back to top</a>]</small></p>
<hr size="1" noshade>
</td>
</tr>
<tr>
<td> </td>
</tr>
</table>
</td>
</tr>
</table>
<!-- begin Information Services and Technology footer -->
<table border="0" cellspacing="0" cellpadding="0">
<tr>
<td height="16" colspan="3"> </td>
</tr>
<tr valign="top" align="left">
<td width="13"> </td>
<td width="207" valign="middle"><a href="http://web.mit.edu"><img src="http://web.mit.edu/ist/images/footer_mit_logo.gif" width="62" height="36" alt="MIT" border="0" /></a></td>
<td><small><a href="http://web.mit.edu/ist/index.html" accesskey="2" title="Access Key: Alt (or control) + 2">Home</a>
| <a href="http://web.mit.edu/ist/start/index.html" title="learn the basics of computing and communications">Getting
Started</a> | <a href="http://web.mit.edu/ist/services/index.html" title="find information, products, and services">Getting
Services</a> | <a href="http://web.mit.edu/ist/help/index.html" accesskey="8" title="Access Key: Alt (or control) + 8">Getting
Help</a> | <a href="http://web.mit.edu/ist/about/index.html" title="about IS, and our contact info">About
IS&T</a> | <a href="http://web.mit.edu/ist/accessibility.html" accesskey="7" title="Access Key: Alt (or control) + 7">Accessibility</a><br />
Ask a <a href="http://web.mit.edu/ist/help/index.html">technology question</a> or send a <a href="http://web.mit.edu/ist/contact.html" accesskey="0" title="Access Key: Alt (or control) + 0">comment about this web page.</a><a href="http://web.mit.edu/ist/accessibility.html" accesskey="0"></a></small></td>
</tr>
</table>
<br />
<!-- Begin MIT-use only web reporting counter -->
<img src="http://counter.mit.edu/tally" width="1" height="1" alt="">
<!-- End MIT-use only web reporting counter -->
<!-- end Information Services and Technology footer -->
</body>
{html} |
Page History
Overview
Content Tools
Activity