[OpenID] WantToDo, enterprise intranet OpenID provider
Peter Williams
pwilliams at rapattoni.com
Thu Jul 26 21:16:06 UTC 2007
One of the cutest intranet/LAN innovations I've seen came from Ping.
Someone is listening carefully to folks addressing enterprise reality!
Regardless of how you get your NTLM/KerberosV5 credentials for access to
the modern domain-controlled LAN (VPN, desktop, EMC/RSA SecurID,
ActiveDirectory...PPP/EAP...), the IDP provider servicing the WebSSO
request from an SP/Consumer would map that strong authentication context
value (as presented to the intranet site as an NTLM token) to itself in
its WebSSO capacity. It would then formulate and communicate a
SAML/Ws-fed claim .. (or OpenID claim).
This is a instance of a cascaded IDP architecture, where one OP is
relying on the LAN IDP, which relies on the VPN IDP, which ultimately
relies on RSA's POTP-EAP's strength and services....before the OP
releases sensitive attributes to the trust point associated with the
RP/Consumer. This is particularly relevant where the connected token (a
FIPS 201 card, say) is the source of the attributes to be releases,
sourced way back across a cascade of secure/trusted channels, including
weird cases such as the smartcard PC/SC protocol is being remoted across
an RDP channel.... Furthermore, in military version of the same, the
high assurance token will itself _decide_ the release policy, and the OP
way out there doing OpenID Auth will be merely a (token-trusted) policy
enforcement point.
In the OpenID Auth extension file, one needs to represent the original
strength/technique used by the earliest IDP in the backchain. So, if
802.1x with EAP support is being used, featuring OTP with one of RSA's
connected token protocols that provides for ongoing strong
authentication, presumably the RP/Consumer want to know this fact - not
that the intranet website's got an "NTLM" token from WinNT's TCB.
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Recordon, David
Sent: Thursday, July 26, 2007 9:32 AM
To: Mark Atwood; general at openid.net
Subject: Re: [OpenID] WantToDo, enterprise intranet OpenID provider
Might want to take a look at
https://opensso.dev.java.net/public/extensions/openid/.
--David
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Mark Atwood
Sent: Wednesday, July 25, 2007 5:52 PM
To: general at openid.net
Subject: [OpenID] WantToDo, enterprise intranet OpenID provider
I've got a bee in my bonnet, and am scetching out writing an open source
OpenID provider, with an eye towards being used in an enterprise
intranet,
instead of being Yet Another Internet OpenID Provider.
My visualization is that it will be very bland looking, but can be
"skinned" with CSS. And use plugins to allow it to get passwords
from the filesystem, or from a database, or from LDAP, or via
cryptocard.
And then a similar set of plugins for storage and managing user
metadata.
Before I start spending a lot of time on this, is someone else doing it.
--
Mark Atwood When you do things right, people won't be
sure
me at mark.atwood.name you've done anything at all.
http://mark.atwood.name/ http://fallenpegasus.livejournal.com/
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list