TechKnowFile
advertisement
UTORauth Copyright
Copyright Russell Sutherland, 2005. This work is the intellectual property of the author.
Permission is granted for this material to be shared for non-commercial, educational purposes,
provided that this copyright statement appears on the reproduced materials and notice is given
that the copying is by permission of the author. To disseminate otherwise or to republish
requires written permission from the author.
UTORauth
Russell Sutherland
Paul Fardy
Matthew Wilks
TechKnowfile 2005
Three Important Ideas
Identification
Who one is
Alfred E. Newman
1952-11-30
Authentication
Proof of Identity
Name:
DOB:
Passport
Identifier + Password
Authorization
Privileges associated with identity
Access to restricted Rooms
Free Beer on Fridays
Identification
Each person receives the following
identifiers upon entrance to the UTORauth
system:
UTID
UTORid
Barcode
UTID
10 Digit System Identifier
Assigned on the basis of
1002348215
Name
Date of Birth
SIN number [optional]
Static and not reusable
One UTID per person
Never re-issued to another
UTORid
8 character AlphaNumeric string
vernejul
smithk35
newmana
Based on the name of the person
Known to the person
Assigned to all new employees and
students
UTORid (2)
Reusable
Active for the UofT lifetime of the person
Issuance
Students: Tcard Office
Employee Business Officer
Network Identifier for Services
UTORmail, PAF, UTORvpn, etc.
UTORid Activation
Secret Activation Key [SAK]
One time password
Issued with the UTORid
Used to activate the UTORid
Activation
One time event
User selects a password and email address
Performed via a secure WWW session
Barcode
16 Digit Number
2176101152459600
Used by Library and other services
Written on to the magnetic stripe
Library number is embedded
217610 11524596 00
Authorization
UTORable
A central repository of information relating
to the state and properties of persons
Is_Student
Program of Study
Barcode
Referenced by UTORid or UTID
Access limited to registered clients
Clients
have limited access
create their own rules for their own users
e.g is_student + enrolled in MAT133Y
Authorization
UTORable
A central repository of information relating to the state
and properties of persons
Is_student
Program of Study
Barcode
Email Address
Referenced by UTORid or UTID
UTORable Access
Access limited to registered clients
i.e. UofT Departments etc.
No access to end users
Clients
have limited access
create their own rules for their own users
e.g is_student + enrolled in MAT133Y
UTORable Data
Data available on a batch basis
Rules determined by client
Delivered on a daily basis
protocol: ftp, ssh, scp
Data available on an interactive basis
LDAP
APIs available for PHP/Perl/C etc.
Read Only in most cases
UTORable: Contents I
Loads and Loads of stuff available
Identifiers
UTID, UTORid (usually used as indices)
BarCode
Student Number
Employee Number
UTORable: Contents II
A torrent of ROSI data
Program of Study
Current Session
Course Lists
Registration Code
Available for multiple sessions
Current UTORable Users
(Interactive)
Information Commons
TCard Office/Library
Web-based information lookup
Federated Colleges
Creating and Managing TCards and Library Cards
IC Help Desk
Public Access Facilities authentication/authorization to
computers
Web-based Faculty/Staff management
AMS
Real-time generation of UTORid/barcodes for new staff and
faculty (using SOAP)
Current UTORable Users (Batch I)
ECF
UofT Police
Used to drive the UTM shuttle bus service
CQUEST
All students/staff/faculty. Proximity card project.
UTM
Students and staff for Locknetics project in Bahen centre.
Also, course listings for CCNet
Fac. of Arts and Sci. students. To create CQUEST
accounts.
Hart House
List of current students to permit access to facilities
Current UTORable Users (Batch II)
Athletic Centre
STORM
Scarborough students. Used to create computer accounts.
UTORcwn & UTORdial services
Course listings for a number of Physics courses. STORM
provides websites for professors.
UTSC
Current students. Used to permit access to facilities.
Lists of students/staff that use the services, along with their
UTORids.
CDF
Listing of all computer science students.
A PHP-Based Example
CNS provides a simple PHP module for UTORable access,
which can be downloaded from:
http://madhaus.cns.utoronto.ca/utorauth/pub/LDAP.php
Once you have downloaded this module put your username
and password into the file by changing the lines:
$this->ldap_user = "cn=<your_username>," . $ldap_base;
$this->ldap_pass = "<your_password>";
A PHP-Based Example
(continued)
# create a new LDAP object that will be used to query
# UTORable for a UTORid.
$ldap = new LDAP('utorid');
# connect to the LDAP server, using the username and
# password you specified to the module.
$ldap->connect();
# fetch any data that exists for UTORid 'leeterry'.
$ldap->fetch('leeterry');
# check to see if this is a full time student
if ( $ldap->att('isstudent') && $ldap->att('attendance') == 'FT' )
allow_access();
else
disallow_access();
Authentication
Authenticate by providing UTORid and
password.
As mentioned, the Secret Activation Key
provides initial authentication.
Campus-wide Web Login service is provided by
https://weblogin.utoronto.ca/ (Pubcookie)
Web Login for Users
A single login page can authenticate for any
utoronto.ca web service.
Input your UTORid and password once only to
access several services.
Uses web browser’s cookies to hold
authentication data.
Exit browser to remove these special cookies
from the browser cache.
Web Login for Service
Providers
A web application can delegate authentication to
weblogin.utoronto.ca.
Implemented using Pubcookie:
http://www.pubcookie.org/
Implemented in an Apache or IIS module that
must be installed on the application web server.
Provides authenticated UTORid, but not
authorization. (as REMOTE_USER)
Role of Kerberos
Kerberos underlies technology to Web Login
Expect most applications to use Web Login
Exploring supporting UTORids with
departmental Unix/Linux via PAM Kerberos
Exploring supporting UTORids with
MS Active Directory via Kerberos
