You are here
"Friend" lightweight authentication system
Description: Develop a lightweight authentication system, similar to (or based on) the cosign "Friend" system, to allow users not affiliated with Informatics to authenticate to our systems.
Deliverables: Additions to the authentication system to support lightweight accounts. May also require authorisation system changes, to support authorising lightweight users.
Customer: services-unit, and anyone else deploying systems which require lightweight accounts
Case statement:
Status:
Timescales:
Priority:
Time:
Proposal:
Resources:
Plan: We can choose two possible options for this:
*) Deploy the UMICH cosign Friend technology, which will only allow friend authentication to web-based services, which don't rely on using delegated credentials with backend systems
*) Deploy a Kerberos based solution which uses a new realm - FRIEND.INF.ED.AC.UK, with a seperate KDC, and uses cross-realm authentication to provide friend based access. This has the advantage that is far more flexible - and would allow us to provide 'friend' access to non-web services such as AFS.
However, it would require writing our own code.
Dependencies:
Risks:
Milestones
Proposed date | Achieved date | Name | Description |
---|---|---|---|
2007-07-30 | 2007-08-06 | ifriend-master- | Create new KDC for friend principals |
2007-08-10 | 2007-08-13 | ifriend-web-int | Produce web interface to allow the creation of iFriend accounts |
2007-08-03 | 2007-08-20 | ifriend-cosign | Modify cosign service to accept iFriend accounts |
2007-09-04 | 2007-08-24 | ifriend-backups | Create backup arrangements for friend service, including enabling a slave KDC |