Touchstone Glossary
MIT Touchstone
MIT Touchstone is a web authentication system that integrates several third party products and technologies. Single sign-on is provided by this system for all applications that have been integrated with it. The MIT Touchstone login servers may also be used to authenticate to many off-campus systems. MIT applications that have been fully integrated may also accept authentications from many other identity providers throughout the world.
Shibboleth
Shibboleth is a system developed by Internet 2, it is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner. Shibboleth is one of the main technologies that makes up MIT Touchstone.
Federation
A federation is an association of organizations that use a common set of attributes, practices and policies to exchange information about their users and resources in order to enable collaborations and transactions.
The goal of federated identity and federated authentication is to allow businesses and partners that trust each other in the real world to mirror that trust in their digital systems. Participants in federated systems may use different technologies with different security approaches and programming models, yet they can still integrate their businesses without substantial custom integration. Within a federation each organization continues to manage its own identities, but is capable of securely sharing and accepting identities and credentials from other organizations.
MIT Touchstone is a set of technologies and systems that enable federated authentication. MIT is part of the US higher-ed Shibbloleth federation named InCommon. MIT Touchstone also supports other technologies so that our local applications can also accept identities from OpenID identity providers.
InCommon
The mission of the InCommon Federation is to create and support a common framework for trustworthy shared management of access to on-line resources in support of education and research in the United States. To achieve its mission, InCommon will facilitate development of a community-based common trust fabric sufficient to enable participants to make appropriate decisions about access control information provided to them by other participants. InCommon is intended to enable production-level end-user access to a wide variety of protected resources. InCommon uses standards-based, SAML-compliant Shibboleth® as its federating system.
MIT is a member of the US higher-ed Shibbloleth federation named InCommon. MIT Touchstone also supports other technologies so that our local applications can also accept identities from OpenID identity providers.
IdP
IdP (Identity Provider), is a system that creates, maintains, and manages identity information for principals (users, services, or systems) and provides principal authentication to other service providers (applications) within a federation or distributed network. It is a trusted third party that can be relied upon by users and servers when users and servers are establishing a dialog that must be authenticated. The IdP sends an attribute assertion containing trusted information about the user to the SP.
SP
SP (Service Provider) is the Shibboleth term for an application server that has been integrated with Shibboleth (and hence MIT Touchstone). An SP communicates with a Shibboleth IdP to determine if a user has authenticated and obtain information about the user. The information obtained from the identity provider may be used to make authorization decisions.
A user's password is never sent to an SP. The Shibboleth system uses HTTP redirects extensively. A user interacts with the IdP to perform initial authentication. Hence, the systems management of the SP presents little risk to an enterprise's passwords. However, the systems management of the IdP entails risks similar to the management of a Kerberos KDC or an Active Directory Domain Controller.
WAYF - Where Are You From?
The goal of a "Where Are You From" (WAYF) service is to guide a user to his or her Identity Provider. Some documentation also calls this the "Identity Provider Discovery" service.
Basically, all the WAYF has to accomplish, is to present the user a list of Identity Providers and redirect the user's web browser to the selected Identity Provider (IdP) or back to the Service Provider (the web application that the user is trying to access). Some WAYFs have additional features which enhance the user's ease-of use. This includes several methods of remembering or guessing the user's Identity Provider selection. Usually by storing a persistent cookie which indicates the user's previous choice of Identity Provider.
WebAuth
One of the authentication servers used by MIT Touchstone is based on Stanford's WebAuth package. MIT uses this to authenticate people that have an MIT Kerberos principal name. The WebAuth server is currently supporting three authentication mechanisms: personal X.509 certificates, username and password over TLS, and native Kerberos tickets via http-spnego. MIT Touchstone does not use native WebAuth to interact with any application servers. It is simply used as the authentication server inconjunction with a Shibboleth IdP.
Collaboration Account
MIT Touchstone Collaboration Accounts are for people that do not have an MIT Kerberos principal, nor an account with other members of the InCommon Federation, but need to authenticate to MIT application servers that have been integrated with MIT Touchstone, or are part of the Shibboleth InCommon Federation.
People may self-register for an MIT Touchstone Collaboration Account.
LDAP
LDAP, Lightweight Directory Access Protocol, is an Internet protocol that email and other programs use to look up information from a server. The LDAP protocol is both cross-platform and standards-based, so applications should not neet to worry about the type of server hosting the directory.
MIT Touchstone uses the MIT LDAP server as a source of information about MIT users when the MIT IdP communicates with various SPs.
Authentication
Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. When using MIT Touchstone or Shibboleth, the authentication is not performed on the application server or SP. Instead traffic is redirected to a trusted third party, the IdP, and the user may authenticate by providing a username and password, an X.509 certificate, a Kerberos ticket, or in some cases use OpenID.
Kerberos
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. The Kerberos protocols invented and popularized by MIT have become fundamental building blocks of major desktop and server operating systems, core networking infrastructure, global file systems, global messaging systems, and much more.
Certificate
A certificate form of digital credential which may be used for authentication. More formally, an X.509 certificate is a cryptographically signed, digital representation of user or device attributes that binds a key to an identity. A unique certificate attached to a public key provides evidence that the key has not been compromised. A certificate is issued and signed by a trusted certification authority, and binds a public key to its owner. Certificates typically include the owner's name, the owner's public key, the certificate's serial number, and the certificate's expiration date. Other information might also be present.
Certificates may be used to authenticate a user without requiring that the user enter a password.
OpenID
OpenID is a shared identity service, which allows users to log on to many different web sites using a single digital identity, eliminating the need for a different user name and password for each site. OpenID is a decentralized, free and open standard that lets users control the amount of personal information they provide.
Back To Top
