WebISO: Web Application Agent (WAA) Questionnaire Univerity of Texas Health Science Center at Houston Prepared by Barry R Ribbeck, 2003-01-08 1. Model & Capabilities of the Web Authentication Agent (WAA) 1.1 Which high-level integration model(s) does your WAA support? [x] Server module [] Apache 1.3 [ ] Apache 2.0 [X ] Java Servlet [ ] Microsoft ISAPI [ ] Other [x] Developer's API [] C/C++ [x] Java/JSP [] Perl [ ] Python [] Other 1.2 If applicable, describe the method(s) your WebISO solution provides for the WAA to handle N-tier (proxied, delegated) authentication (cf http://middleware.internet2.edu/webiso/docs/draft-lajoie-trust_and_delegatio n-02.html): Only works with publicly rooted PKI that are accepted via bilateral agreements with our institution. If autheN is done via uid/password and requestor is not in our LDAP, then we are looking at Shibboleth to provide access to non-PKI authenticating groups 2. Authentication Request 2.1 Describe the API your WAA provides to Web applications to initiate authentication. What functions can it invoke? What parameters can it pass? Users authenticate against our LDAP for internal users over an SSL connection or directly against the WEB server with a Digital ID and JSP . The server generally uses passthrough authN for applications or the authN is added as a JSP tag if it is a web based app. 2.2 Describe any other options your WAA provides to Web applications to influence the authentication process. For example, can it request the technology or policy used to handle authentication? None I am aware of at this time. 3. Authentication Delivery 3.1 Describe the information delivered by your WAA to Web applications: 3.1.1 What user information is provided to the application? What is the format? How does it relate to the identifier presented to the verification backend? For PKI authN, the user presents their DID which is validated first. Then the email address which is internally unique in our LDAP is parsed from the cert and used to identify the user's current status in the institution. IF the DID is valid and the user has a valid current status in the LDAP, they are authenticated. For LDAP authN, the user presents their uid/password over SSL to the application which then validates the user presented credentials provides a boolean response. 3.1.2 Does the WAA deliver additional user attributes (e.g., lookup key value associated with login identifier, studentid, group membership)? What is the format of this? Yes, Ldap Schema extended attributes for authZ are used for role based access to restricted apps, resources etc. 3.1.3 Can additional information be delivered on request? Yes 3.2 Describe the means by which your WAA provides authentication information to your application. Please be as specific as possible. Java apps in the form of servlets or JSPs use a set of home grown classes to authenticate users in the ldap or via DID. Session information is kept that includes an LDAP object of the authenticated user. Sun One web server ACI restricted sites use Sun's internal passthrough authN for access to the application 4. Authentication Session 4.1 Briefly describe how authentication session information is maintained (if not already covered in section 2 above): Sessions have a timeout period based on the sensitivity of the application. A logout or restart of the web service forces the user to reauthenticate 4.2 Is it possible to for an application to set the session duration? If not already covered above, please describe: Yes 4.3 Is it possible to terminate authentication session globally? How is that information conveyed to the application? A restart of the web server and therefore restart of the associated servlets in memory will cause a global termination of sessions 5. Messaging (Weblogin Service (WLS) <-> WAA) 5.1 Describe the message format used between your WAA and weblogin service to request and receive authentication information: These are generally the same code run in each different application, so it is internal the java app or 5.2 Describe the protocol used by the WAA to handle the above (e.g. SAML POST Profile): N/A 6. Wish List 6.1 What changes or additions to the services provided by the WAA would you like to see in your system? The ability to allow control users use of JSPs for security reasons. 6.2 At a high level, what other changes would you like to see in your system? We would are working on getting our PKI authenticated applications shibbolized to allow sister institutions to participate. My wish list would include having the time to work on the specifics of details of PKI authenticated services within the confines of SHIB.