Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity
Management for Education www.netprof.us
Slide 3
Topics Define the issue Discuss authentication mechanisms Using
a 10,000 overview approach
Slide 4
The Problem Cloud based systems benefits Google Apps Thousands
of frequently changing users Multiple accounts Multiple passwords
multiple headaches
Slide 5
Remember When Software for learning installed locally Users
authenticate locally once, access multiple applications Well, most
of the time.
Slide 6
Local Supported Apps Pros: o Users are already trusted o LDAP
can be used for authentication Cons: o Technology department
responsible for install, operation, and updates o Sometimes
requires its own hardware or server Bottom line, it can be
expensive
Slide 7
Shift Towards SaaS Pros: o Software provider is in charge of
install, operation and maintenance o Fixed cost Cons: o School is
in charge of providing authentication
Slide 8
Authentication Nightmares Some sites are one user name full
access Others are locked by IP address More and more are needing
username and password information
Slide 9
Does the Shoe Fit? There is no one size fits all solution yet
Providing user information per system Single Sign-on o OpenID o
SAML2
Slide 10
Creating Users by Hand Local access to resources LDAP Access
remote systems, eg. Google Apps Create and manage accounts by hand
Accounts are managed one by one Usually same password on all
accounts What happens when a password is compromised?
Slide 11
Creating Accounts SiS administrator Local / LDAP Library Google
Apps Online Learning On and On Network Admin
Slide 12
Managing Users Local / LDAP Library Google Apps Online Learning
On and On Admin / Media Spec. / Para
Slide 13
Provisioning Tool Local / LDAP LibraryGoogle Apps Other
Slide 14
Managing Users Local / LDAP LibraryGoogle Apps Other
Happy!!
Slide 15
What About SIF? Designed to send student data between SiS
providers One way Adoption by developers of online software? What
about staff? Each SiS company has a slightly different
implimentation
Slide 16
Single Sign-on One password all systems Sign-on once, use
many
Slide 17
Methods Form Auth Provider OpenID SAML2
Slide 18
Form Auth Federate username and password to remote system Form
auth username password through local HTML link
Slide 19
Form Auth Pros: o Simple o Will work on systems that dont
support other methods Cons: o Connectors o Accounts still need to
be created o Passwords are still maintained remotely one by one o
Forms change, connectors break o Usually pay by the connector
Slide 20
OpenID and SAML2 Both provide token identifiers for
authentication OpenID being pushed by Google SAML is another open
standard with slightly more security (Security Assertion Markup
Language)
Slide 21
SSO Primer Local Auth DB (LDAP) User Remote Service Provider
SSO Portal
Slide 22
OpenID vs SAML2 OpenIDSAML2 HTTP Binding of request Service
Providers loosely coupled IdP Identifier is global Does NOT support
single sign out Multiple methods including HTTP Service Providers
tightly coupled IdP valid for provider only Supports single sign
out
Slide 23
SSO Issues Remote provider must support SSO method Weak
passwords = quick access for hackers