[alf-dev] Reviewing Single Sign On discussions

[Daniel Gross <gross@xxxxxxxxxxxxxxx>]

Hello,

I am currently summarizing some of the design discussions about 
authentication and single sign on, and was wondering if someone could 
perhaps provide some clarifications:


Citing from the ALF Rquirements Meeting Minutes 8/25/2005
> We considered two approaches to SSON within ALF. The first approach
> requires ALF to maintain a runtime (and perhaps eventually a
> persisted) credential store so service flows can get identity
> information as stored in ALF. (See the agenda for the 8/25/05
> requirements meeting for a more detailed discussion.) The second
> approach merely required ALF to enable a secure way to propagate
> userid information from a tool raising an event to the service flow
> that will execute as a result of an event.
>
>
>
> After much discussion, the committee agreed that the only reason for
> ALF to maintain a credentials cache was if she wanted to support some
> form of user mapping between tools. We all agreed that user mapping
> should not be an ALF job, so opted for the userid propagation
> solution. As a best practice, we believe all ALF-enabled tools should
> support authentication through a central identity management tool
> such as LDAP. However, we agreed that ALF will not require such a
> tool. Instead, ALF will define a Service Provider Interface (SPI)
> that will allow ALF sites to implement user mapping if necessary.


I was wondering, does anyone recall the key arguments why user mapping 
should not be a job of ALF, and why maintaining a credential cache is 
only associated with user mapping between tools.



appreciating any comments,

Daniel


ps. Althoug its still quite preliminary i am including a partial summary 
of the authentication discussion, as it appears to me reflected in the 
currently available documents:


ALF: high level design goals relevant to authentication
-------------------------------------------------------

1. Any authentication solution should enable (or at least not hinder) to 
maximize the number of tools adapted for ALF, as well as accelerate the 
adoption. Some guiding principles to achieve these goals are to:
a. minimizing changes needed to ALF enable a tools
b. minimizing design and implementation complexity to ALF enable a tools


2. Any authentication solution should aim to utilize standard based 
design solutions, where possible.


Design requirements/constraints under which an authenication solution is 
considered:
-----------------------------------------------------------------------

From a tool/tools vendor point of view:
1. It is assumed that prior to providing a services, a tool may requires 
a user to first log-on

2. If log-on is required then, it can be performed either:
a. manually or
b. the tool provides a programmatic log-on facility,
c. or a tool can be compatible with an existing centralized identity 
manager such as LDAP, CAS, or JOSSO, in which case log-on could be 
performed by passing a credential ticket together with the service request.

3. a tools vendor who considers adapting a tool to work with the ALF 
environment may:
a. not be willing to make any changes to the already existing log-on 
facility.
b. may be willing to support a programmatic user id and password log-on 
via its web-service based interface.
c. may be willing to include support for particular credential based 
centralized single sign-on solution
d. may to some extent be willing to adapt/enhance the tool to support 
ALF custom solutions for authentication.


2. It is assumed that an ALF site administrator when using ALF
a. may want to have a single sign on solution available that can be used 
"out of the box"
b. may want to continue use a centralized identity manager already in 
use in his/her organization
c. may be willing to adopt a light-weight solution where predefined 
user-id's and passwords are pass around.



Possible design approaches for ALF
-----------------------------------

1. ALF provides a fully integrated SSON authentication service, where 
ALf may:
a. custom build a solution
b. utilizing an existing implementation such as CAS or JOSSO

2. ALF provides a credential store in which during runtime credential 
information obtained from outside can be stored and retrieved by ALF 
enabled tools.

3. ALF only passes user id and passwords around in a secure way. ALF 
enabled tool users need to ensure that all tools called within a 
predefined service flow are configured with a consistent (same) passwords

4.	ALF does not manage user id and passwords and requires a SSON 
solution, and thus assumes that SSON is automatically taken care of 
during the execution of a service flow.

5.	ALF does not manage user id and passwords, and assumes that all is 
taken care of from the outside, possibly in a manual way, during the 
execution of a service flow

6.	ALF provides an SPI interface that enables an ALF site manager to 
implement centralized user mapping. If configured, the SPI would be 
called by the ALF (either the broker or while executing a service flow), 
to determine the corrent credentials/userid-password to pass to a tool 
invocation.


Part of my next investigation is to determine what the tradeoffs of each 
of the above design approaches are ...