Email address obfuscation in effect -- please
click here to turn it off.
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
We've done a lot with federated identity lately, mainly Shibboleth and
Active Directory Federation Services and the interoperability between
the two. OpenID is promising, but there are security issues with
their trust model, phishing and man-in-the-middle attacks. OpenID
isn't usable by itself right now; other, more secure SSO solutions are
required to front-end it give you any form of security whatsoever.
I've looked at it, but there's no way I'd roll it out in production
without some decent security studies.
Oddly enough, Microsoft has already dealt with quite a few of these
problems in CardSpace. It's not a direct competitor, but could
actually sit on top of OpenID, ADFS, Shibboleth, etc., to provide
decent, easy to use credentials/authentication/authorization/the whole
shebang. A federation of interoperable identity providers tied in
with OpenID, CardSpace, etc. is the future of mass-deployed web (and
other) services.
There's a LOT going on in this world right now, and things are only
looking better. One of our own MU guys is going out to Redmond next
week to demo an interop between bog-standard Shibboleth and bog-
standard ADFS systems that we've been working on for the past few
months. Indiana and a few other bigger schools were supposed to help
in the pilot, but we ended up doing the brunt of the work. We've been
on a number of conference calls, and even Microsoft seems excited.
We're currently running a Shibboleth and Pubcookie stack for web
single-sign-on. The next round will probably integrate ADFS bits to
provide Windows systems with native federated, system-wide (or at
least campus-wide) authentication/authorization.
I love this stuff, but some of the concepts are difficult to grasp
since they're so abstract. I'm literally just getting a concrete
grasp of the low-level way Shibboleth works after 18 months of running
the servers. The fact that it's a Java app running on Tomcat doesn't
make things any simpler, either...
ryan woodsmall
EMAIL:PROTECTED
"Be well, do good work, and keep in touch." - Garrison Keillor
On Dec 3, 2007, at 5:11 PM, Mike Miller wrote:
Have you guys learned yet about OpenID?...
http://en.wikipedia.org/wiki/OpenID
Some guys I've been working with up here thought we should use
OpenID for authentication on a secure web-based data management
system we are developing. After considerable thought on the matter
I have decided against it. It seems to be a popular new thing but I
find some problems: (1) if an OpenID server provider goes out of
business, all users of that provider are unable to log in, (2)
adding a third party to the authentication system requires more
network and server availability than the usual client/server system,
(3) the process is a little more complex than what most users are
used to and this requires that users be trained on OpenID, (4) the
login is a little more onerous than the usual username/password
combo system and finally (5) the purported benefit to users, that
they don't need to remember so many usernames and passwords, is lost
if the user is not using OpenID at other web sites.
Have any of you used OpenID? Any opinions?
Mike
_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members
Home | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact