Re: single-signon with X.509 certificates

From: Edward A. Feustel (edward.feustel_at_dartmouth.edu)
Date: 02/26/04 

Date: Thu, 26 Feb 2004 07:20:59 -0500

"Michel Oosterhof" <m.no-spam.oosterhof@xs4all.nl> wrote in message
news:403d2a0e$0$566$e4fe514c@news.xs4all.nl...
> bisibis@pt.lu (paul b) writes:
>
> >Hello,
> >I need some help for a single signon system that I have to develop for
> >a society during the next few month
> >The system has to work in the following way:
> >The users have to do a single authentication against the system using
> >a X.509 certificate stored on an USB-token. Once this authentication
> >is correct, they will get access to some proprietary applications. All
> >the security has to lie thus on the certificates.
>
> >We already thought about some soluation and perhaps someone
> >implemented a similar system and tell me whats the bests solution:
> >- One possibility that we discussed was to use X.509 attribute
> >certificates and to store the user rights in the certificate itself.
>
> >- We also thought about storing the information in the LDAP directory
> >and interface the applications directly with the LDAP-tree in sort
> >that the authentication is done once against the LDAP-system and then
> >the rights are read from the three each time the user accesses an
> >application. Is this possible??
>
> >Perhaps someone can tell me how to preceed or give me a totally
> >new(and easier ;-)) idea to implement such a single signon system
>
> There is an product called IBM Tivoli Access Manager which approximately
> does what you request here.
>
There are other products that can do it as well.
Entrust offers both ID and attribute certificates published
to whatever LDAP compatible directory.

Look also at the IETF PKIX Grid Proxy certificate scheme which is a single
sign on substitute.

If you need cross-domain authentication of certificates, look at the US
Federal Govt.'s Bridge Certificate Authority work.

If you must do the sign-on with passwords, consider an
Aladdin USB token or similar. It stores keys and passwords on a token and
will "do the right thing" when signing in provided that the correct PIN is
entered.

Good luck.
Ed
Ed

Relevant Pages

  • Re: single-signon with X.509 certificates
    ... >>certificates and to store the user rights in the certificate itself. ... If you must do the sign-on with passwords, ...
    (comp.security.unix)
  • Re: EFS multiple certificates associated with single user
    ... CertA/CertB because those keys are encrypted with previous passwords. ... > three certificates in the personal store, CertA, CertB and CertC. ... > certificates> tasks> export private key. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: IIS 6.0 SSL Certificate Difficulties
    ... Default permissions and user rights for IIS 6.0 ... "Bill Bean" wrote in message ... > No, we really do know how to create, import and apply certificates. ... It> turns out that the problem was that some account needs 'Bypass traverse> checking' rights for this to work. ...
    (microsoft.public.inetserver.iis)
  • Re: VPN vs SSL client side certificates
    ... > If you're authenticating the clients with certificates, ... > why using passwords at all. ... The authorised client machine is likely to be in a office environment ...
    (comp.security.misc)
  • Re: Choosing which way to secure WLANs (IAS, WPA and certs or passwd)
    ... certificates demands a PKI infrastructure whether this be an internal MS ... windows CA or a third party CA. ... The idea behind certificates is that client A trusts client B certificate ... certs and Securing using PEAP and passwords. ...
    (microsoft.public.windows.server.networking)