RE: [MLUG] OpenID

Email address obfuscation in effect -- please click here to turn it off.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: "MLUG Members" <EMAIL:PROTECTED>
Subject: RE: [MLUG] OpenID
From: "Davis, Jared Scott" <EMAIL:PROTECTED>
Date: Tue, 11 Dec 2007 12:05:59 -0600
Delivery-date: Tue, 11 Dec 2007 12:06:18 -0600
Envelope-to: EMAIL:PROTECTED
In-reply-to: <EMAIL:PROTECTED>
References: <EMAIL:PROTECTED> <EMAIL:PROTECTED>
Reply-to: MLUG Members <EMAIL:PROTECTED>
Sender: EMAIL:PROTECTED
Thread-index: Acg2Cs69WGMw0X13SUS+2mMzg7CiwQGFRAkg
Thread-topic: [MLUG] OpenID

Sorry to resurrect an old thread...
How will this affect us as departmental developers?  Are we moving toward implementing Shibboleth, ADFS, what-have-you as a replacement for LDAP authentication?

Thanks,

jared davis.
Internet Administrator
Residential Life
University of Missouri-Columbia
100 Pershing Hall
(573) 884-3616

-----Original Message-----
From: EMAIL:PROTECTED [mailto:EMAIL:PROTECTED] On Behalf Of ryan woodsmall
Sent: Monday, December 03, 2007 6:15 PM
To: MLUG Members
Subject: Re: [MLUG] OpenID

We've done a lot with federated identity lately, mainly Shibboleth and  
Active Directory Federation Services and the interoperability between  
the two.  OpenID is promising, but there are security issues with  
their trust model, phishing and man-in-the-middle attacks.  OpenID  
isn't usable by itself right now; other, more secure SSO solutions are  
required to front-end it give you any form of security whatsoever.   
I've looked at it, but there's no way I'd roll it out in production  
without some decent security studies.

Oddly enough, Microsoft has already dealt with quite a few of these  
problems in CardSpace.  It's not a direct competitor, but could  
actually sit on top of OpenID, ADFS, Shibboleth, etc., to provide  
decent, easy to use credentials/authentication/authorization/the whole  
shebang.  A federation of interoperable identity providers tied in  
with OpenID, CardSpace, etc. is the future of mass-deployed web (and  
other) services.

There's a LOT going on in this world right now, and things are only  
looking better.  One of our own MU guys is going out to Redmond next  
week to demo an interop between bog-standard Shibboleth and bog- 
standard ADFS systems that we've been working on for the past few  
months.  Indiana and a few other bigger schools were supposed to help  
in the pilot, but we ended up doing the brunt of the work.  We've been  
on a number of conference calls, and even Microsoft seems excited.

We're currently running a Shibboleth and Pubcookie stack for web  
single-sign-on.  The next round will probably integrate ADFS bits to  
provide Windows systems with native federated, system-wide (or at  
least campus-wide) authentication/authorization.

I love this stuff, but some of the concepts are difficult to grasp  
since they're so abstract.  I'm literally just getting a concrete  
grasp of the low-level way Shibboleth works after 18 months of running  
the servers.  The fact that it's a Java app running on Tomcat doesn't  
make things any simpler, either...

   ryan woodsmall
     EMAIL:PROTECTED

"Be well, do good work, and keep in touch." - Garrison Keillor

On Dec 3, 2007, at 5:11 PM, Mike Miller wrote:

> Have you guys learned yet about OpenID?...
>
> http://en.wikipedia.org/wiki/OpenID
>
> Some guys I've been working with up here thought we should use  
> OpenID for authentication on a secure web-based data management  
> system we are developing.  After considerable thought on the matter  
> I have decided against it.  It seems to be a popular new thing but I  
> find some problems: (1) if an OpenID server provider goes out of  
> business, all users of that provider are unable to log in, (2)  
> adding a third party to the authentication system requires more  
> network and server availability than the usual client/server system,  
> (3) the process is a little more complex than what most users are  
> used to and this requires that users be trained on OpenID, (4) the  
> login is a little more onerous than the usual username/password  
> combo system and finally (5) the purported benefit to users, that  
> they don't need to remember so many usernames and passwords, is lost  
> if the user is not using OpenID at other web sites.
>
> Have any of you used OpenID?  Any opinions?
>
> Mike

_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members

_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members

Follow-Ups:
- Re: [MLUG] OpenID
  - From: ryan woodsmall <EMAIL:PROTECTED>

References:
- [MLUG] OpenID
  - From: Mike Miller <EMAIL:PROTECTED>
- Re: [MLUG] OpenID
  - From: ryan woodsmall <EMAIL:PROTECTED>

Prev by Date: Re: [MLUG] Ubuntu desktop v. server
Next by Date: Re: [MLUG] [Fwd: New Seagate Drives Have Real Difficulties With Linux]
Previous by thread: Re: [MLUG] OpenID
Next by thread: Re: [MLUG] OpenID
Index(es):
- Date
- Thread