Single Sing-On at institutions
At institutions, if no centralized solution is provided, authentication is normally addressed using multiple logins and passwords for each service. This implies that the user needs to introduce different credentials in each application. At the first level, a solution based on a directory server unifies multiple username and passwords into a single one. However, there is still the problem of login to each application separately, which is something not affordable in a context where the number and variety of web services for learning is constantly increasing.
Within the administrative domain of an institution, Single Sign-On (SSO) resolves this problem providing an authentication session that is centrally managed, allowing the user to navigate through different web applications using the same session. With the Bologna Process more students and lecturers will be on mobility programs within European higher education institutions. SSO systems are not well suited for this purpose as they are restricted to the administrative domain of each institution. Therefore, SSO systems should be federated so that local services can delegate the authentication of mobile users to their home administrative domains, and these administrative domains can accept authentication requests beyond their boundaries. In this model, the home administrative domain plays the role of an Identity Provider (IdP) while the local service is a Service Provider (SP).
Single Sign-On at Web 2.0
At Web 2.0, OpenID stands out as the most popular and supported initiative for federated identification. Opposed to institutional SSO, OpenID is a decentralized standard for authentication, meaning that the digital identity that does not rely on a unique central authentication authority. In this sense, as OpenID identifiers are provided in the form of unique URLs, any website has the potential to become an OpenID provider.
One username and password to rule them all
Given that the educational community wants to introduce web 2.0 services into the institutional environment, it might be necessary for the institution to become an OpenID provider and to offer institution’s members an iOpenID (institutional OpenID) identifier that can be used to gain access to multiple web services. This iOpenID is be linked to institutional SOO system, so the user will take advantage of using the same username and password for both institutional and external services. simpleSAMLphp, developed by UNINETT (Norwegian Research and Education Network), is an open source and lightweight implementation of Web SSO and several federation protocols. It is a good tool for quick implementation of identity-enabled proof of concept prototypes based on PHP platforms. simpleSAMLphp IdP software plugs into our LDAP-based institutional user information service. By adding a simpleSAMLphp SP software to web services like Moodle or Drupal, users can login to them with their institutional username and passwords, and navigate through them using the same session.
Together with IdP and SP software, simpleSAMLphp also releases an OpenID provider, so an integral solution can be built with it. However, in Spain there is no need for an institution to host its own OpenID provider. RedIRIS, the Spanish Research and Education Network, offers Spanish universities a powerful OpenID provider service called SIR. By installing an IdP software at the university and adding it to SIR service, all users are provided with the same OpenID identifier, which is the same for all universities: http://yo.rediris.es. At the end of the authentication process, this identifier is transformed into a long identifier (http://firstname.lastname@example.org) that contains the information that uniquely identifies the user and the university.
Last, it very important to consider that in a mashup-based architecture, where some services communicate with others via APIs, it is necessary to have mechanisms that allow a service to ask for access permission to another service and exchange user credentials in a secure way. OAuth is the protocol designed for this task. It must be clear that OAuth does not substitute the federation protocols mentioned before. Instead, it complements them by offering a secure channel through which APIs can make use of federation.