Page 211 - Building Digital Libraries
P. 211
CHAPTER 8
• Shibboleth is designed for sharing authentication data
between organizations in a distributed environment, so it
federates authentication and distributes the management
of user information across organizations over the SAML
protocol to exchange authentication and authorization data.
• Shibboleth is generally more difficult to configure than
CAS.
OpenID
OpenID is different from SAML or CAS in that there’s no trust relation-
ship with the provider—you accept whatever it tells you and associate with
a placeholder identifier in the repository. Like Shibboleth, OpenID is a
federated identification management protocol. However, it differs from
Shibboleth in several key respects. First, OpenID has been designed under
the premise that user-identification management can function essentially
like a URI. Within the OpenID model, a user signs in using a unique URI,
which is resolved by a service run either by the user or by the authenticating
organization. Like Shibboleth, the protocol defines how user information is
securely transmitted between resources, as well as what attributes are needed
to authenticate users between targets. What makes OpenID different from
many other authentication services is the notion of a secure URI that acts
as a user’s user name and password. Within the OpenID model, the URI
provides the authentication mechanism for the protocol, meaning that how
one proves ownership of the URI directly relates to how authentication is
verified within the system.
OAuth and Social Media Authentication
OAuth allows third parties such as social media services to authenticate to
another system. Unlike OpenID, which has a primary purpose of authen-
tication in a web environment, the primary purpose of OAuth is to allow
users to permit API authorization for application. As such, the two are
complementary.
An example of a repository application of OAuth would be that a user
would authenticate using a social media account and then be asked for
permission to share her e-mail address with the repository software. Upon
the user granting that permission, the e-mail address would be matched to
an account.
OAuth and social media authentication offer the following advantages:
• Many users won’t be asked for credentials after logging in
because simply being logged in to their favorite services
grants them access.
• If your organization won’t allow vendors outside your
firewall to connect to your LDAP or other authentication
196
