Fall 2008 Internet2 Member Meeting

close
Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID

Your organization not listed? Create a local account to use Internet2 services.

Create SiteID

Kerberos Role in Unified Identity & Access Management

Time 10/14/08 01:15PM-02:30PM

Session Abstract

Each speaker's institution utilizes Kerberos credential store and authentication service for identity and access management. Kerberos is decades old of course, but this use to, in effect, meld native Kerberized apps, LDAP authentication and LDAP-based CAS, Windows domain login, and others seems worthy of detailing as a strategy. Also worth considering is whether we're comfortable with this central role for Kerberos, or whether we need a migration strategy (say, to PKI)? Is Kerberos going to keep pace with needs? What are the pros and cons of underpinning IAM with an institution-wide single Kerberos realm? How effective is Kerberos in unifying authentication via LDAP, web trusted third party authentication service (CAS), Windows login, and RADIUS? Speakers agreed to participate, describing their institution's utilization, strategy, and challenges using Kerberos as core component of IAM: David Bantz, Chief Information Architect, University of Alaska Brendan Belina, Identity Services Architect, University of Southern California Klara Jelinkova, Sr. Director, Shared Services and Infrastructure, Duke Universtiy Barry Ribbeck, Director of Systems Architecture and Infrastructure, Rice University

(combined with)

Cornell University has recently rewritten its custom solution for web single sign-on as part of a larger project to migrate all authentication services to Kerberos 5 and retire Kerberos 4. The new version was designed to be released eventually as an open source package. It contains many features campus developers have relied on in the previous version, such as directives to check group membership for purposes of authorization, post data support, and the portability of credentials across multiple physical servers (single sign-on). New features include the ability to set the number of seconds a session can remain idle before a prompt for re-authentication is issued, support for multiple Kerberos realms and significantly improved performance. The speakers will describe the service architecture and approach to code design and testing, as well as the mechanisms deployed to manage releases.

Speakers

Speaker David Bantz University of Alaska

Speaker Brendan Bellina University of Southern California

Speaker Barry Ribbeck University of Texas Health Science Center at Houston

Speaker Peter Bosanko Cornell University

Speaker Bob Schwartzkopf University of Southern California

Speaker Rob Carter Duke University

Speaker Gregory Roth Cornell University

Presentation Media

media item thumbnail CUWebAuth 2.0 (pdf)

Speaker Peter Bosanko Cornell University

Speaker Perry Eidson Emory University

Speaker Gregory Roth Cornell University

media item thumbnail CUWebAuth 2.0 (pdf)

Speaker Peter Bosanko Cornell University

media item thumbnail Kerberos Role in Unified Identity & Access Management (pdf)

Speaker David Bantz University of Alaska

Speaker Andy Bavier Princeton University

media item thumbnail The Launch of Google(TM) Apps at USC: Determinants, Decisions, and Deterrents (pdf)

Speaker Brendan Bellina University of Southern California

Speaker Brendan Bellina University of Southern California

Speaker Aditya Thacker Infinera Corporation

media item thumbnail Kerberos at Duke (pdf)

Speaker David Barber eTech Ohio

Speaker Rob Carter Duke University

Secondary tracks Cyberinfrastructure

gold Sponsors

bronze Sponsors

Food and Beverage Sponsors