WebISO: Web Application Agent (WAA) Questionnaire

Bluestem System 
University of Illinois
https://www-s.uiuc.edu/bluestem/notes/overview.html
October 7, 2002


> 1. Model & Capabilities of the Web Authentication Agent (WAA)
>    1.1 Which high-level integration model(s) does your WAA support?
>    [x] Server module
>        [x] Apache 1.3
>        [ ] Apache 2.0
>        [ ] Java Servlet
>        [ ] Microsoft ISAPI
>        [ ] Other

There is a contributed mod_bluestem Apache module.


>    [x] Developer's API
>        [ ] C/C++
>        [ ] Java/JSP
>        [x] Perl
>        [ ] Python
>        [x] Other

Bluestem is distributed with out-of-the-box support
for Perl CGI and VBScript ASP API's, plus an application
(the "document server") that can be used to provide
authentication for CGI's written in any language.

There is also a lower level API ("the little Bluestem
API") that departmental developers have used to "port"
Bluestem authentication to other development environments
such as Java, PHP, and ColdFusion.


>
>    1.2 If applicable, describe the method(s) your
> 	 WebISO solution provides for the WAA
>        to handle N-tier (proxied, delegated)
> 	 authentication (cf
> http://middleware.internet2.edu/webiso/docs/draft-lajoie-trust_and_deleg
> atio n-02.html):
>

Not applicable.

> 2. Authentication Request
>    2.1 Describe the API your WAA provides to Web
>        applications to initiate authentication.
>        What functions can it invoke? What parameters
>        can it pass?
>

See the API notes at https://www-s.uiuc.edu/bluestem/notes/

>    2.2 Describe any other options your WAA provides
>        to Web applications to influence the authentication
>        process.  For example, can it request the
>        technology or policy used to handle authentication?
>

A user can select which authentication method to use
at login time. The Bluestem API returns the method used
to the application, so a specific method of authentication
can be required.


> 3. Authentication Delivery
>    3.1 Describe the information delivered by your
>        WAA to Web applications:
>
> 	 3.1.1 What user information is provided to the
>           application? What is the format?  How does it
>           relate to the identifier presented to the
>           verification backend?
>

See https://www-s.uiuc.edu/bluestem/notes/perl-api.html#Parse

>        3.1.2 Does the WAA deliver additional user attributes
>           (e.g., lookup key value associated with login
>            identifier, studentid, group membership)? What is
>            the format of this?
>
>        3.1.3 Can additional information be delivered on request?
>


No. Bluestem currently provides authentication information only.


>    3.2 Describe the means by which your WAA provides
>        authentication information to your application.
>        Please be as specific as possible.
>

As an array returned by an API function. For the "little
Bluestem API", the authentication and session information
is available in a small cachefile maintained by the WAA.


> 4 Authentication Session
>   4.1 Briefly describe how authentication session
>       information is maintained (if not already covered
>       in section 2 above):
>

A session cookie set by the WAA provides the session start
time and the name of a timestamped cachefile maintained by
the WAA.

>   4.2 Is it possible to for an application to set the
>       session duration?  If not already covered above,
>       please describe:
>

Yes. Session time and time since previous visit are returned
by the API's.

>   4.3 Is it possible to terminate authentication session
>       globally? How is that information conveyed to the
>       application?
>

No.


> 5. Messaging (Weblogin Service (WLS) <-> WAA)
>    5.1 Describe the message format used between your
>        WAA and weblogin service to request and
>        receive authentication information:
>
>    5.2 Describe the protocol used by the WAA to handle
>        the above (e.g. SAML POST Profile):
>

See https://www-s.uiuc.edu/bluestem/notes/protocol.html#BQP

In a future release, this protocol will be replaced by
an XML-RPC request from the login service to the WAA.

> 6. Wish List
>    6.1 What changes or additions to the services provided
>        by the WAA would you like to see in your system?
>

A parallel API for authorization attributes leveraging the
existing infrastructure for WAA server registration, crypto,
and key management.

>    6.2 At a high level, what other changes would you like to
>        see in your system?
>
>
>

Ed Kubaitis
UIUC WWW Identification Service - bluestem@uiuc.edu
CITES/STS - University of Illinois at Urbana-Champaign