Euro CAMP Tuesday November 23 rd 2010 Brook

Euro. CAMP Tuesday, November 23 rd, 2010 Brook Schofield Project Development Officer brook@terena. org www. terena. org Euro. CAMP Authentication (Auth. N) Slide 1

Campus Architecture & Middleware Planning… › My Blurb: › Focusing on the first step of the 'domestication' progression we'll cover authentication for applications, showing examples of externalising authentication and identifying the technologies of interest to this group. › Q: First step? › Q: Domestication? › applications that work well with enterprise infrastructure, typically by externalizing group management, authentication, and/or authorization - COmanage webpage via RL ‘Bob’ Morgan Slide 2

Auth. N is easy! › That’s why everyone does it! › Previously everyone "had" to do it. › Campus' created accounts because their students needed them. › Commercial providers created accounts so people could access them. › Password synchronization is handled by the user. Slide 3

Remember to squat your name! http: //namechk. com/ Slide 4

Many campus solutions to the username/password problem. › › › NIS, Novell Windows for Work Groups LDAP and Microsoft AD Kerberos CAS, Web. Auth › Limited to the Campus › Need to expand outside the Campus Slide 5

We preached it, but didn’t live it. Slide 6

TERENA Externalising Auth. N Slide 7

The campus problem disrupted. › Campus’ always had external resources › Solved by liberal licensing › Reverse Proxies › VPN › Complicated by: › › Mobile students Proliferation of Devices IPv 6 $£€¥₨ Slide 8

Storm Brewing. Slide 9

Levels in the Auth. N Continuum › 1 - Username/Password for All Services › Manual sign-up by the user › Password reset problem › Deprovisioning Problem › 2 - Shared Identity › LDAP Backend › Password Synchronisation (maybe) › 3 - Externalised Identity › Identity Federation (SAML) › Single Point › Open. ID vs Facebook vs Google Slide

Quick Poll… How many username/password combinations do use in a day? Including the ones that your browser / os remember for you. 1 2 -5 5 -15 15+ Slide

Do we feel special? Slide

Integrating 3 rd Party Applications Slide

Integrating 3 rd Party Applications › Stupid Applications are the easiest › Any HTTP Basic Auth? › Embedded Username/Password Dialog › Hardest to deal with (especially flash) › Lots of Options › › › simple. SAMLphp Shibboleth-SP OIOSAML SP Fedlet Open. AM Slide

…including the kitchen sink. › Applications are diverse › Skinning a Cat › Users are diverse › From different sources › Id. Ps are diverse › No two attributes the same Slide

Scaling Auth. N Slide

brook@terena. org +31651553991 sip: schofield@terena. org skype: //brookschofield @Brook. Schofield facebook. com/brook. schofield linkedin. com/in/brookschofield Questions? “A man with one watch knows what time it is; a man with two watches is never quite sure. ” Lee Segall Slide