[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Web SSO using Kerberos (was: Kerberos for Debian Edu/Squeeze?)

On Wed, Apr 14, 2010 at 08:21:37PM +0200, Jonas Smedegaard wrote:
On Wed, Apr 14, 2010 at 05:22:56PM +0200, Petter Reinholdtsen wrote:
Next step will be to use Kerberos for access control in Lwat and Nagios. I have no idea how much work that will be to implement.

I believe the proper approach for Kerberize web applications is to use either CAS or Shibboleth.

[details snipped]

It seems to me that the highly popular SSO technology OpenID is too simple for use as web-enabling of Kerberos. Even if coupled with Oauth I seem to understand from various critics that it is too poorly designed for enterprise security. Not stating this to start a fight (I do not know enought for more in-depth arguments than this vague accusations), just to help avoid wasting time on (popular but) weaker designs if the interest is proper strong web-enabled security designs.

After reading up on it a bit, I feel the need to correct myself:

Oauth is not a weaker design, but has a different (main) purpose:

CAS and Shibboleth provide central, federated authentication for applications. Authorization - i.e., access control decisions on which user data to exchange - is optional and (yet) uncommon.

Oauth provide user authorization of user data access for application consumers. This implies authentication that can be central or decentral, but not (yet) federated.

In other words: both approaches can securely do web Single Sign-On (SSO), and both should support Kerberos as authentication backend.

The difference is in what they can do _beyond_ that: With CAS and Shibboleth we can offer external applications (like web shops wanting to provide discount to students) a joint authentication service for "all norwegian schools" or even "all Skolelinux account holders in the world". With Oauth we can offer the users to approve or deny each such web shop if they are allowed to pull (and keep up-to-date) postal address from the school database.

So in a way Shibboleth and CAS serves extended *enterprise* needs, whereas Oauth serves extended *user* needs.

Or more harshly: Shibboleth and CAS is about enforcing governing control, whereas Oauth is about passing control to the users.

Here's a post on the topic, making a comparison to how G7 countries govern global economy: http://lists.foaf-project.org/pipermail/foaf-protocols/2010-January/001437.html

- Jonas

* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Attachment: signature.asc
Description: Digital signature

Reply to: