Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.uni-c.dk1 WWW.UNI-C.DK Single Sign-On in the Danish Educational Sector Per Thorboll Deputy director UNI-C.

Published byAlexandra Farmer Modified over 8 years ago

Similar presentations

Presentation on theme: "Www.uni-c.dk1 WWW.UNI-C.DK Single Sign-On in the Danish Educational Sector Per Thorboll Deputy director UNI-C."— Presentation transcript:

1 www.uni-c.dk1 WWW.UNI-C.DK Single Sign-On in the Danish Educational Sector Per Thorboll Deputy director UNI-C

2 www.uni-c.dk WWW.UNI-C.DK 2 Background UNI-C – The Danish computing center for education and research Nationwide – in a small country Large spectrum of products/services : Basic network Security Infrastructure and Services (VANS) Content services Intranet / LMS SIS and ERP

3 www.uni-c.dk WWW.UNI-C.DK 3 The products The Toolbox Abuse & CERT Schoolbag SkoDa Newspaper in education VPN at Home Antivirus SkoleKom X-IT BlackBoard School-ict InfoGuide Single Sign On EMU – the education portal MVU Net (Lotus Notes) School Intra ERP (EASY, XAL-Stat) SIS And more …….

4 www.uni-c.dk WWW.UNI-C.DK 4 Single Sign On Vision To provide a unified login for all IT-services in the Danish educational sector. Not practically possible with the technologies available today. A pragmatic approach is necessary. Current goal is to build a national authentication and authorization framework and provide unified login for web- based services.

5 www.uni-c.dk WWW.UNI-C.DK 5 HUGO – Central user database Centralized user administration for the Danish educational sector. Approx. 600.000 users registered today. Delegated administration ensures quality of data. Forms the immediate basis for authentication and authorization control for the unified login.

6 www.uni-c.dk WWW.UNI-C.DK 6 First step: Single Login HUGO populates a central LDAP-database with passwords and access rights (service codes). Provides the authentication and authorization service called Single Login. Users must login to each service. Username and password must be entered in several places, which makes them more difficult to protect. In some cases passwords are sent unencrypted between systems. Risk of snooping passwords in transit or at end system.

7 www.uni-c.dk WWW.UNI-C.DK 7 Next step – Single Sign On Proxy PKI Cookie P A A A A A A A A A L

8 www.uni-c.dk WWW.UNI-C.DK 8 SSO proxy Independence of applications All protocols are supported Developed and maintained in-house Does not scale Non-standard

9 www.uni-c.dk WWW.UNI-C.DK 9 SSO PKI Based on standard SSL user certificates Many protocols and applications support SSL Certificates and keys are stored locally Hard to use for end-users Certificate management is cumbersome

10 www.uni-c.dk WWW.UNI-C.DK 10 SSO Cookie Non-standard – until now ! Only support for web applications Only support for one domain (Initially) Scales well

11 www.uni-c.dk WWW.UNI-C.DK 11 Single Sign-On – the cookie solution Login is done only once for all services. Username and password entered at a single well- protected login server. Passwords never sent to other web servers. Solution at UNI-C is based on Pubcookie from U. of Washington. (www.pubcookie.org) Related to Internet2 WebISO efforts. (Web Initial Sign-On: middleware.internet2.edu/webiso).

12 www.uni-c.dk WWW.UNI-C.DK 12 Single Sign-On – Pubcookie features Cookie based solution using a central login-server. Cookies and passwords are protected by SSL and host domains. No browser extensions required. Platform neutral, both on client and server side. Plug-in architecture for backend verifiers. Ships with LDAP and Kerberos5. Plug-in modules available for Apache and IIS webservers.

13 www.uni-c.dk WWW.UNI-C.DK 13 Pubcookie – How does it work? Login Server App1 App2 Principal 1 2 3 4 App3

14 www.uni-c.dk WWW.UNI-C.DK 14 Integration of external applications In some cases it is not possible or desirable to use Pubcookie directly with a given application. Causes: SSL not wanted, external DNS domain, no Pubcookie module available, multiple auth. models. UNI-C has developed an SSO proxy solution. Auth. Info is communicated in a short-lived URL-encoded fingerprint. Security model is based on a shared secret.

15 www.uni-c.dk WWW.UNI-C.DK 15 SSOproxy Login Server Proxy Extern Principal 2 34 1 App2 App3 5

16 www.uni-c.dk WWW.UNI-C.DK 16 Next steps More applications Synchronization with local user administration Client certificates to replace the uid/pwd dialogue Integration of more external parties. Development of a more sophisticated logout model for SSO. (Today you have to close the browser to ensure you are logged out of everything).

17 www.uni-c.dk WWW.UNI-C.DK 17 Conclusion UNI-C has deployed a web-based Single Login and Single Sign-On infrastructure In the process of migrating our web-based services to it. Made possible by the central HUGO user database with delegated administration. Much interest from third party partners to hook into the SSO-infrastructure in order offer their services online.

Download ppt "Www.uni-c.dk1 WWW.UNI-C.DK Single Sign-On in the Danish Educational Sector Per Thorboll Deputy director UNI-C."

Similar presentations

The Future: Evolution of the Technology Ravi Sandhu Chief Scientist TriCipher, Inc. Los Gatos, California Executive Director and Chaired Professor Institute.

The Future: Evolution of the Technology Ravi Sandhu Chief Scientist TriCipher, Inc. Los Gatos, California Executive Director and Chaired Professor Institute.
GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.
Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Inter-Institutional Registration UNC Cause December 4, 2007.

Inter-Institutional Registration UNC Cause December 4, 2007.
Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.

Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.
1 Federated Identity and Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 15, 2013

1 Federated Identity and Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 15, 2013
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Implementing and Administering AD FS

Implementing and Administering AD FS
Support for schools NORDUNet 2003 Kurt Bøge

Support for schools NORDUNet 2003 Kurt Bøge
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
5 Copyright © 2006, Oracle. All rights reserved. Securing Grid Control.

5 Copyright © 2006, Oracle. All rights reserved. Securing Grid Control.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,

GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,
Understanding Active Directory

Understanding Active Directory
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Similar presentations

Ads by Google