University of Connecticut Computer Center
UCC Proposal: Authentication Services
Authentication Services

Network Authentication Services:

Global Sign On

Proposal for Implementation at the University of Connecticut

Computer Information Systems, University Computer Center

November 1997




Disclaimer

Since the software discussed is new, and the fact that this proposal is based solely on marketing information provided by the vendors, any relationship between assumed capabilities and function as stated and actual capabilities and function is questionable until verified by full test procedures.

Definition of Goal

We can define and generalize the goal and requirements of Network Authenticat ion Services as being the ability to authenticate, authorize, and grant access to distributed network resources, while completely maintaining the appropriate security of those resources, for any subset of the University's computing community, whether students, faculty, staff, guests, or designated associates of the University.

Overview of Requirements and Specifications

Authentication is just one part of a comprehensive security architecture for a distributed network of heterogeneous resources. Not only would each user need to be authenticated, but also each entity on the network, whether user, client, or server, collectively known as principals. After each principal had been identified and verified, each user would then be granted authorization to access certain resources and rejected authorization to access other resources based on verification by a database of valid principals. Authorization would include verification of which operations the principal was permitted to perform. After being granted authorization, the user would then be presented with a single secure logon process with one logon identification and one password to access all resources the user is authorized to access.

While these services would ideally contribute to the overall ease of accessing any particular resource by any particular client, authentication services would not only contribute to secure access to intranet resources but also continue to permit typical internet applications such as FTP, Telnet, and WWW access to hosts and resources.

Principles of Selection

The initial and ongoing costs of such an implementation for both centralized server and end user should, ideally, be minimized as much as possible. The implementation and the ongoing administration of authentication services should also be easily and securely maintained, and, if possible, managed with current staffing levels both for the central authentication server and the distributed resources.

The solution should be based on open standards as much as possible, i.e., be available for a broad range of platforms, from desktop systems to UNIX workstations to mainframes.

Technology currently available which purportedly addresses the above requirements and stipulations is IBM's Global Sign-On System (GSO) and the Open Software Foundation Distributed Computing Environment (OSF DCE).

Global Sign-On System

Since we have no experience with the functionality and capabilities of this new software, and rather than risk misrepresenting the product, the best source of available information can be found at:

http://www.networking.ibm.com/gso/gsohome.html

Some relevant and informative sections from this documentation are quoted below:

IBM Global Sign-On for AIX (R), Version 1.1, provides single sign-on capability to users who need easy, secure, one-password access to multiple targets, including distributed applications, databases, printers, and other resources throughout their enterprise. Global Sign-On is based on open standards and provides secure authentication and data confidentiality.

IBM's Global Sign-On (GSO) offers one approach to accessing heterogeneous networks and reducing costs by increasing productivity for end-users and system administrators. This technology enables users to sign-on once with a single ID and password to access business applications and data. The design goals are ease of use, secure authentication of users, and logon coordination to multiple applications.

IBM's approach to single sign-on is to store all the passwords and keys belonging to a user in secure storage … so that the user needs to remember only one ID and password. The single GSO ID and password is then used to authenticate the user. Upon authentication, GSO securely retrieves all the passwords for a user from the secure storage and automatically (without any additional user intervention) issues sign-ons to each application the user is authorized to access.

IBM's Global Sign-On solution consists of the following major components:

GSO Authentication - Authenticates the user to the GSO system. On systems with local operating system security, this authentication mechanism is integrated with the local OS authentication. This component is specifically designed to handle "snapping in" different authentication mechanisms (e.g. secret key, smartcards, flat files, public/private key).

Configuration Information Manager (CIM) - Contains information on how to logon to the applications configured on a given machine. This component provides the ability to add new logon methods as needed.

Personal Key Manager (PKM) - Contains information about users, systems and passwords they use to logon to those systems. Since this information is centralized, users can access their resources with one sign-on from any workstation and manage their passwords from this one repository.

Logon Coordinator (LC) - Retrieves the user's passwords from PKM and uses them in conjunction with the target specific logon code to log users onto all their systems without any additional user intervention.

User Interface:

Open Software Foundation Distributed Computing Environment (OSF DCE)

Open Software Foundation (OSF):

Founded in 1988, OSF hosts industry-wide, collaborative, software research and development for the distributed computing environment. The Open Group was formed in February, 1996 by the consolidation of the two leading open systems consortia, X/Open Company Ltd (X/Open) and the Open Software Foundation (OSF). Under the Open Group umbrella, OSF and X/Open work together to deliver technology innovations and wide-scale adoption of open systems specifications. Dedicated to the advancement of multi-vendor information systems, The Open Group is an international consortium of vendors, ISVs and end-user customers from industry, government, and academia. (http:// www.rdg.opengroup.org/press/glance.htm)

Distributed Computing Environment (DCE):

DCE is a suite of integrated software services that is part of a computing system's infrastructure.

The DCE services include:

Remote procedure call (RPC) -- which facilitates client-server communicati on, so that an application can effectively access resources distributed across a network.

Security Service -- authenticates the identities of users, authorizes access to resources on a distributed network, and provides user and server account management.

Directory Service -- provides a single naming model throughout the distributed environment.

Time Service -- synchronizes the system clocks throughout the network.

Threads Service -- provides multiple threads of execution capability.

Distributed File Service -- provides access to files across a network.

(http://www.osf.org/comm/lit/TOG-DCE-PD-1296.htm#sec)

Proposed Implementation Plan

After careful consideration of available budget and personnel resources, we determined that the most efficient approach to implement a test environment as a proof-of-concept would be to implement a DCE authentication services facility on a RS/6000 running AIX and define a prototype for a campus-wide DCE cell. This cell would possibly include UNIX, Novell, and NT servers, as well as WWW authentication services.

Phase I: Prototype (target 1/15/98)

Goal: Proof-of-concept of single signon of GSO.

Phase II: Production (target 03/15/98)

Goal: Bring Authentication Services to production status

Phase III: Enabling the technology (target 08/31/98)

Goal: Enable other servers and platforms

Estimated Implementation Cost

Software Costs

This implementation would require most of the following software to be installed from HESC Platform I-J.

Current annual cost of HESC I-J is $7,420.

Cost of IBM Global Sign-On for AIX is $1,999.

Cost of use authorization for 10 registered users for testing purposes is $919.

No additional cost is necessary to support other target systems or the RS/6000 security server since DCE Client Runtime Support is part of AIX.

Appendix: University Library Requirements

Appendix: School of Business Administration Authentication Services Requirements