GWS Lighttouch seamless authentication

1
GWS Light-touch seamless authentication

• Graham Morrison
• Home Office
• Technical Architect

2
Agenda

• Horizon redevelopment
• What does light-touch really mean?
• An overview of the solution
• A quick nuts and bolts view
• Lessons learnt

3
Horizon Redevelopment
4
Horizon project history

• Horizon redevelopment
• Permanent Secretarys group wide communications
  platform
• Group wide services
• Shared services agenda
• Overview of the current pan-government network
  landscape

5
What does light-touch really mean?
6
Problem environment - Overview

• Multiple platforms
• Multiple suppliers
• Multiple security models/risk appetites
• No overall governance

7
(No Transcript)
8
Solution requirements

• Existing users must not have to login again
• Compliant with GSi code of connection
  (accreditable)
• Support anonymous and registered users
• Outside of existing supplier agreements
• Support competitive tendering
• No impact on local network infrastructure to
  create barriers to entry
• No client side installations to create barriers
  to entry
• Provide a platform for shared services and to
  support the overall transformational government
  agenda

9
An overview of the solution
10
Single Sign On (SSO)- Definition

• A central store of personal login details
• The user only has to sign on to the SSO server
• All applications go to the SSO server to
  authenticate the user by proxy
• All applications use SSO agents specific to the
  SSO server supplier
• Requires an infrastructure roll-out

11
(No Transcript)
12
Seamless authentication - Definition

• Uses a commonplace underlying standard (kerberos)
• Microsoft (SPNEGO) Unix (Kerberos)
• SPNEGO is kerberos with the addition of role
  based information
• Based upon shared secrets
• Supports forwardable tickets
• Separate optional authorisation stack
• Solaris KDC
• Sun Access Manager
• Has no impact on local infrastructure

13
(No Transcript)
14
A quick nuts and bolts view
15
Kerberos overview (Authentication)

• Its all about tickets
• Ticket Granting Ticket (TGT)
• Session Ticket (TGS)
• 'Quiet' Realm based trusts through shared secrets
  vs 'chatty' domain based trusts
• Trusts have direction
• Cross-realm uni-directional non-transitive trust

16
Sun access manager (Authorisation)

• User provisioning through AD exports
• Optional 'First layer' access control through
  agent deployment
• Optional 'Second layer' granular access control
• Support for most other authentication types e.g
  SAML to allow interoperability with other
  government solutions

17
Nuts and bolts view
18
Lessons learnt
19
Issues

• Encryption types variety RC4-HMAC, DES etc
• Large scale process task of managing the resource
  to user map in its central location
• Difficulties in ramping up to support higher
  levels of MoPs (dual factor authentication)

20
Summary Light touch

• Maximise what you already have!
• Minimise implementation impact on others and they
  will be more likely to join and share services