Single Signon Network Authentication

_______________________________________________________________________________________________________ Work Group Charge

1. Define a campus-wide username space by merging existing ones.
2. Define mechanisms for maintaining the username space.
3. Develop (copy) policies for Kerberos-like authentication servers.
4. Test, pilot, and begin deployment of authentication servers.

_______________________________________________________________________________________________________ Work in Progress

• Draft a current envirnoment assessment document describing host authentication practices at the University of Pennsylvania.
• Develop a standard for assigning and managing username space at Penn.
• Develop or modify software for enforcing the standard, on a going forward basis, within the existing PennNet Authorization System (PAS).
• Acquire, install and test Kerberos-like authentication servers.
• Using the username standard, statistics on the multi-user hosts, and experience gained from testing authentication servers, develop a strategy for migrating to a Kerberos-like authentication service.

_______________________________________________________________________________________________________ Next Meeting

Tuesday, January 24, 1-3PM.
In the conference room at 3401 Walnut Street, Suite 335B.

• 1994 - December 13.
• 1994 - November 8.
• 1994 - October 25.
• 1994 - October 11.
  • People Database Status.
• 1994 - October 4.
• 1994 - September 27.
• 1994 - September 20.
• 1994 - September 13.
• 1994 - August 30.
• 1994 - August 23.
• 1994 - August 9.
• 1994 - August 2.
• 1994 - July 19.
• 1994 - July 8.

• 1994 - September 1.
• 1994 - August 25.

_______________________________________________________________________________________________________ Work Group Contact Information

Members

Name			Organization			E-mail address
-------------		------------------------	-----------------
Noam Artz		ISC/DCCS			artz@dccs
Deborah Aukee		VPUL				aukee@pobox
Emily Batista		Library				batista@pobox
Nirmalya Das		Medical School			das@cip.ldi
Dan Dougherty		President/Provost		dandough@pobox
Chris Hiester		DCCS					hiester@dccs
Alex Garthwaite	ISC/DCCS			alex@dccs
Shumon Huque		SAS				shuque@sas
Tom McAleer		UPHS				tom_mcaleer@path1a.med
Grover McKenzie	Library				mckenzie@pobox
Dave Millar		ISC/DA				millar@pobox
Norm Morrison		SEAS				morrison@seas
Martin Pring		Medical School			pring@a1.mscf
Andy Rieger		Wharton				riegera@wharton
Ellen Rosenblatt	ISC/UMIS			rosenblatt@umis
Fran Seidita		Resource Planning/Budget	seidita@pobox
Lila Shapiro		ISC/UDC				lila@staff.udc
Andrew White		SAS				awhite@sas
Ira Winston		SEAS				ira@central.cis

Co-Chairs.
----------

Mark Litwack		ISC/DCCS			litwack@dccs
Jim Johnson		ISC/DA				johnsonj@pobox

Work Group E-mail address:
dce-authen-wg@isc.upenn.edu.

_______________________________________________________________________________________________________ Background Information

Usernames

Everyone who connects to a multi-user computer system needs to
have an account.  An account consists of two parts: a username and a 
password.  A username, also called an account name, is an 
identifier--it tells the computer who a person is.  The password is an 
authenticator--it proves to the operating systems that a person is 
who they claim to be.

Authentication

Before networks, the task of validating the identity of a particular
user was simple.  A terminal and timesharing computer were able to
assume that whoever was currently typing at the keyboard had the
same identity as the session initiator.  The system of account
names, verified by a password at startup time was easily
enforced.

Today, computers requesting and providing services over networks 
are not secure.  A network authentication service is needed to act as 
a secure third party between non-secure hosts on the network 
askingfor services, and hosts providing the services.

Single Signon

Many people require access to multiple computer systems.  They
can end up with a long list of accounts and passwords.  Most people
cannot effectively keep track of multiple accounts and passwords,
especially when they differ across platforms.

Single Signon represents the concept that a computer user 
can be authenticated once, and for the rest of their session, any other 
systems or networks connected to would check with a security 
database to determine privileges, with no need for any further
signons, interruptions, or passwords.  

Effective implementation of Single Signon requires a mechanism that
combines user authentication and authorization.


Authentication vs. Authorization

Authentication is the process of verifying the claimed identity of a
client(i.e., user) and/or service.

Authorization is the process of determining whether a client may use 
a service, which objects the client is allowed to access, and the type 
of access allowed for each.

To clarify, authentication answers the questions 'Who am I?' and 
'Who am I talking to?,' while authorization answers the questions 'Do 
I have access to this server?' and 'What are my access privileges?'

_______________________________________________________________________________________________________ Kerberos Authentication

Kerberos is a trusted third-party authentication service used to
verify the identities of client applications(i.e., users) and server
applications in a distributed computing environment.

• RFC 1510 - Kerberos Authentication Service

_______________________________________________________________________________________________________ Comments?

Address comments to jamesfj@pobox.upenn.edu