[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: IDcloud Use-Case
Folks, Here is my first cut of a "Kerberos-in-the-Cloud" use case. Still rough. Please feel free to improve/suggest and add text. Regards. /thomas/ ------------------------------------------ Use Case: Kerberos-in-the-Cloud Services Today over 60% of medium to large enterprises deploy the Kerberos authentication protocol as the primary user authentication method on a daily basis. Furthermore, access to many intra-enterprise resources and services is based on a single-sign-on (SSO) capability built using Kerberos as an underlying authentication mechanism. Many Enterprises already deploying large Kerberos authentication infrastructures seek to extend the usage of their infrastructure to provide their employees/customers with access to external services provided by their affiliates and partners in business. Furthermore, for scaling and performance reasons they seek to use identity providers and cloud-authentication services that support/implement Kerberos authentication (for ease of interoperability with their existing Enterprise Kerberos infrastructure). A Kerberos-in-the-cloud service would therefore be attractive (to an Enterprise) not only for the Enterprise employees seeking services (outbound), but also for Customers of the enterprise who wish to access services offered by that enterprise (inbound). If a new Customer was already a user of the Kerberos-in-the-Cloud service (that was acceptable/trusted by the Enterprise), that Customer can leverage the cloud service for SSO to the Enterprise service. An example in this case would be a company (Enterprise) providing financial services, both to other corporations (e.g. corporate 401K management), as well as to individual consumers (e.g. individual roll-over 401K accounts). This company/Enterprise would have partnerships with other financial institutions (e.g. investment firms). Although the Kerberos-in-the-Cloud service is an attractive service, there are a number of open technical issues requiring solutions: (a) Identity definition and attributes: One key issue is that of the identity type/format/scope relating to Kerberos principal names when deployed in a cloud environment. Related to this is the attributes and other authorization parameters pertaining to the Kerberos principal as found today in Kerberos V5 tickets and their usage in cloud environments. (b) Identity metadata exchange: Another problem area is the provisioning of Kerberos identities in the cloud, and the sharing/exchange of identity metadata between the cloud service and the Enterprise employees & customers. Some method of mapping internal employee Kerberos names to cloud identities is required. Furthermore, privacy of such identities may become requirement on the part of the Enterprise seeking to use that service. (c) Cross-realm trust: Another problem is the establishment of trust (including symmetric key establishment) between the Enterprise and the cloud service. One aspect of this problem is the need for a mechanism for discovery of Kerberos-in-the-cloud configuration parameters by Enterprises and consumer-users alike. (d) Interaction with other identity standards: If a Kerberos-in-the-cloud service chooses to also play the role of an identity provider within an Identity Federation system, there is the possibility that other members of the federation may deploy a different identity standard. Thus, interoperability is a key issue that must be addressed. ------------------------------------------ PS. I'll add more items and text as we go along... /thomas/ __________________________________________ Thomas Hardjono MIT Kerberos Consortium Massachusetts Institute of Technology 77 Massachusetts Ave W92-152 Cambridge, MA 02139 email: hardjono[at]mit.edu desk: +1 617-715-2451 __________________________________________
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]