Summary:
The WebSSO project has three clearly targeted customers for piloting:
- Stellar 3
- Thalia
- Confluence Wikis
The scope includes Single Sign-on for MIT community users via certificate or Kerberos username/password, as well as external users that log on through another mechanism. Both Stellar 3 and Thalia have the external user requirement. External users are defined as people who need access to MIT web resources, but who do not (and should not) have MIT accounts and the full provisioning that goes with MIT accounts (email, AFS lockers, MIT ID, etc).
The general approach is to use Shibboleth at the application level and to provide two Identity Providers (IdP) that federate through Shibboleth so as to allow both MIT community users and external users. Th two Identity Providers being used for the pilot are:
- MIT version of WebAuth (open source from Stanford), which will support Kerberos username/password and certificate logins
- ProviderNet, an external identity provider
In a later production version, MIT may develop its own Identity Provider.
The overall timeline is:
Sept 2007: pilot Shibboleth/WebAuth/ProviderNet with the 3 applications above, in a non-critical way
Jan 2008: limited production for pilot applications
begin development on MIT external user IdP
May 2008: begin piloting MIT external user IdP
open to more customers
Aug 2008: production, open to MIT community