View
216
Download
1
Tags:
Embed Size (px)
Citation preview
Siteminder/OpenID
Anthony FletcherDivision of Computational Bioscience
Center for Information Technology
mAdb Microarray Data Management & Analysis System
mAdb Microarray Data Management & Analysis System
• Has 200 active users at any one time• Users come and go depending on the stage of
their research• 20%-30% are external users• There are users from Germany, Italy, Spain,
Chile etc.• Many external users were once at NIH• All external users have an NIH sponsor
Human Salivary Proteome ProjectCIT and NIDCR
• Expect approximately 50 to 100 users
• Most users from outside NIH, some outside USA
• Users invited by NIDCR
How do we handle external users?
• inCommon Federation – Not every organisation belongs
• NIHext LDAP– Cumbersome to enter user information
• OpenID– Choose Google, Yahoo!, VeriSign, PayPal– Not a free ride; a lot of information is missing or
wrong
Authentication and Authorisation
• Authentication: who is this person?• Authorisation: shall we let this person in?
OpenID provides authentication not authorisation. Each application still has to authorise users.
What do you get? NIH Staff
• First name• Last name• All of my NIH
information :-)
What do you get? Google
Yahoo! is similar
What do you get? VeriSign
Email address is at user’s discretion, and may not even be valid
PayPal is similar
What can you rely on?
You can only reply on:• Persistent ID (HTTP_FED_PERSIST_ID header)– https://openid.paypal-ids.com/?
jwDOK7gSp3GHu7gAxPJmt0RI1CWmd2JFuK02i23TYeY=
• User UPN (HTTP_USER_UPN header)– Generated by CIT/DECA– user_31@federation_1.nih.gov
Use these as your user identification
OpenID Pros
• No need to manage user passwords• Users are able to freely get accounts with
these four vendors• Open to every user• Many users already have accounts
OpenID Cons
• Lack of information being passed through• Still need to collect information from the user
when identity is registered• Persistent ID is not as pretty as a username
Progress
• mAdb are well on their way to implementing this for their external users
• HSPP currently use inCommon but will need to use OpenID for some of their users
• Other CIT/DCB projects are using NIHext, where OpenID would be a better option
In Conclusion
• NIHlogin is easy to use• OpenID works with NIHlogin• OpenID in excellent replacement for NIHext,
or otherwise managing accounts, for low assurance Web applications
Questions