GWS Lighttouch seamless authentication - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

GWS Lighttouch seamless authentication

Description:

GWS 'Light-touch' seamless authentication. Graham Morrison. Home Office. Technical Architect ... Win 2k3 GWS IIS (242) 1. HTTP Request. 2. HTTP Redirect. 1(80) ... – PowerPoint PPT presentation

Number of Views:36
Avg rating:3.0/5.0
Slides: 21
Provided by: christh4
Category:

less

Transcript and Presenter's Notes

Title: GWS Lighttouch seamless authentication


1
GWS Light-touch seamless authentication
  • Graham Morrison
  • Home Office
  • Technical Architect

2
Agenda
  • Horizon redevelopment
  • What does light-touch really mean?
  • An overview of the solution
  • A quick nuts and bolts view
  • Lessons learnt

3
Horizon Redevelopment
4
Horizon project history
  • Horizon redevelopment
  • Permanent Secretarys group wide communications
    platform
  • Group wide services
  • Shared services agenda
  • Overview of the current pan-government network
    landscape

5
What does light-touch really mean?
6
Problem environment - Overview
  • Multiple platforms
  • Multiple suppliers
  • Multiple security models/risk appetites
  • No overall governance

7
(No Transcript)
8
Solution requirements
  • Existing users must not have to login again
  • Compliant with GSi code of connection
    (accreditable)
  • Support anonymous and registered users
  • Outside of existing supplier agreements
  • Support competitive tendering
  • No impact on local network infrastructure to
    create barriers to entry
  • No client side installations to create barriers
    to entry
  • Provide a platform for shared services and to
    support the overall transformational government
    agenda

9
An overview of the solution
10
Single Sign On (SSO)- Definition
  • A central store of personal login details
  • The user only has to sign on to the SSO server
  • All applications go to the SSO server to
    authenticate the user by proxy
  • All applications use SSO agents specific to the
    SSO server supplier
  • Requires an infrastructure roll-out

11
(No Transcript)
12
Seamless authentication - Definition
  • Uses a commonplace underlying standard (kerberos)
  • Microsoft (SPNEGO) Unix (Kerberos)
  • SPNEGO is kerberos with the addition of role
    based information
  • Based upon shared secrets
  • Supports forwardable tickets
  • Separate optional authorisation stack
  • Solaris KDC
  • Sun Access Manager
  • Has no impact on local infrastructure

13
(No Transcript)
14
A quick nuts and bolts view
15
Kerberos overview (Authentication)
  • Its all about tickets
  • Ticket Granting Ticket (TGT)
  • Session Ticket (TGS)
  • 'Quiet' Realm based trusts through shared secrets
    vs 'chatty' domain based trusts
  • Trusts have direction
  • Cross-realm uni-directional non-transitive trust

16
Sun access manager (Authorisation)
  • User provisioning through AD exports
  • Optional 'First layer' access control through
    agent deployment
  • Optional 'Second layer' granular access control
  • Support for most other authentication types e.g
    SAML to allow interoperability with other
    government solutions

17
Nuts and bolts view
18
Lessons learnt
19
Issues
  • Encryption types variety RC4-HMAC, DES etc
  • Large scale process task of managing the resource
    to user map in its central location
  • Difficulties in ramping up to support higher
    levels of MoPs (dual factor authentication)

20
Summary Light touch
  • Maximise what you already have!
  • Minimise implementation impact on others and they
    will be more likely to join and share services
Write a Comment
User Comments (0)
About PowerShow.com