/[volute]/trunk/projects/grid/sso/doc/SSOAuthMech.tex
ViewVC logotype

Diff of /trunk/projects/grid/sso/doc/SSOAuthMech.tex

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 3279 by taffoni, Thu Apr 7 11:17:53 2016 UTC revision 3280 by taffoni, Thu Apr 7 15:13:56 2016 UTC
# Line 137  Line 137 
137  \textbf{SSO mechanism}&\textbf{\xmlel{<securityMethod>}}\\ \sptablerule  \textbf{SSO mechanism}&\textbf{\xmlel{<securityMethod>}}\\ \sptablerule
138  No authentication required & none\\  No authentication required & none\\
139   HTTP Basic Authentication &   HTTP Basic Authentication &
140  \xmlel{https://www.w3.org/Protocols/HTTP/ 1.0/spec/html\#BasicAA}\\  \xmlel{https://www.w3.org/Protocols/HTTP/ 1.0/spec.html\#BasicAA}\\
141  TLS with password &  \xmlel{ivo://ivoa.net/sso\#tls-with-password} \\  TLS with password &  \xmlel{ivo://ivoa.net/sso\#tls-with-password} \\
142  TLS with client certificate & \xmlel{ivo://ivoa.net/sso\#tls-with-certificate} \\  TLS with client certificate & \xmlel{ivo://ivoa.net/sso\#tls-with-certificate} \\
143  Cookies & \xmlel{ivo://ivoa.net/sso\#cookie} \\  Cookies & \xmlel{ivo://ivoa.net/sso\#cookie} \\
# Line 162  Line 162 
162  that updates RFC2617  \citep{std:RFC2617}.  that updates RFC2617  \citep{std:RFC2617}.
163  Interfaces using this mechanism SHALL be be registered with the security method  Interfaces using this mechanism SHALL be be registered with the security method
164    
165   \texttt{https://www.w3.org/Protocols/HTTP/1.0/spec/html\#BasicAA}   \texttt{https://www.w3.org/Protocols/HTTP/1.0/spec.html\#BasicAA}
166    
167  \subsection{Commentary}  \subsection{Commentary}
168  HTTP provides a simple challenge-response authentication framework that can be used by a server to challenge  HTTP provides a simple challenge-response authentication framework that can be used by a server to challenge
# Line 306  Line 306 
306  layer on top of the OAuth 2.0 protocol, which allows computing clients to verify the identity of an end-user based on the authentication  layer on top of the OAuth 2.0 protocol, which allows computing clients to verify the identity of an end-user based on the authentication
307   performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner.'' \citep{std:openid}.   performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner.'' \citep{std:openid}.
308        
309    \section{Conclusions}
310    This document presents a list of  existing security standards, to implement when developing a service that requires authentication mechanism. The list includes the most frequently used standards at the time this document has been produced.
311    
312    In this document we are presenting two types of  SSO protocols: "local" and "federated".
313    Local SSO  provides solutions for keeping a repository of usernames and passwords
314    that could be used transparently across several internal applications but it is local to one domain/service.
315    
316    Federated identity means linking and using the electronic identities a user has across several identity management systems.
317    In simpler terms, a service does not necessarily need to obtain and store users? credentials in order to authenticate them. Instead, the service (or we application) can use an identity management system that is already storing a user?s electronic identity
318    to authenticate the user?given, of course, that the application trusts that identity management system.
319    Federated identities are convenient for users, since they don?t have to keep a set of usernames and passwords for every single application that they use and for service providers that do not need to store and manage credential.
320    
321    Local SSO is managed by  the following protocols: HTTP Basic Authentication,  Transport Layer Security (TLS) with passwords, and cookies
322    OAuth, SAML, OpenID and Transport Layer Security (TLS) with client certificates (thanks to the CA trust) are protocol that
323    allow to implement  federated SSO.
324    
325    The choice the authentication method to use is related to the project/service requirements, we suggest at least to implement
326    a local authentication based on Transport Layer Security (TLS) with passwords, that allow a reasonable security
327    framework for exchanging authentication tokens.
328    
329    More complex projects/sevices that needs to offer resources to a large distributed communities should prefer federated identities.
330    For example SAML2.0 is the protocol used to build the EduGain World wide identity federation  for education and research.
331    
332    
333    
334  \appendix  \appendix
335  \section{VOResource  SecurityMethod}  \section{VOResource  SecurityMethod}
336  This Appendix presents an extract of the VOResource Description XML schema.  This Appendix presents an extract of the VOResource Description XML schema.

Legend:
Removed from v.3279  
changed lines
  Added in v.3280

msdemlei@ari.uni-heidelberg.de
ViewVC Help
Powered by ViewVC 1.1.26