What this is: The OSIdM4HE work has identified "Authentication" as a significant element of an IAM system. Unlike the other areas, a team to look at authentication-related requirements and gaps is still to be convened. This page collects some initial items in this area to invite further discussion and participation, and eventual formation of a subteam and workstream.
Authentication Functional Model Concepts
account, subscriber
credentials, credential assignment, credential store
authentication service
authentication protocols, federated authentication
password-based authentication
strong authentication, PKI, two-factor, hard/soft tokens
web-redirect-based authentication
password management, key management
monitoring and risk-based authentication
assurance
Authentication System Requirements / Gaps / Opportunities
password management: A collection of utilities dealing with password changing.
- web-based user password change: strength meter, dictionary checking, etc
- web-based user forgotten-password reset: question&answer, SMS, knowledge-based, etc
- helpdesk user password reset: logging, mail trail, etc
- password policy management: notifications, service shutoff, role-based strength enforcement, etc
strong authentication:
- 2- (or multi-) factor: integration of token/SMS/etc schemes into web signon, other authn services (eg Kerberos, AD)
- PKI: cert issuance and management, client tools, policy management, integration, etc etc
risk-based authentication:
- monitoring, threat assessment, mitigation methods
mobile authentication: OAuth, other?
process authentication: PKI, OAuth, other?
social identity: social2SAML web authentication gateway
account linking
eduroam: RADIUS, EAP
non-web federated authn
Commonly-used OS/HE Authentication Service Component Products
MIT Kerberos, Heimdal
CAS, Shibboleth, simpleSAMLphp
LDAP directory (OpenLDAP, etc etc)
(Active Directory)
(anything in PKI? InCommon cert service?)