webSSO is a new cloud-centric, federated authentication system developed to solve the problems of deploying authentication across heterogeneous infrastructures. It is a thin policy layer on top of widely deployed and trusted protocols such as HTTPS and TLS client certificate authentication. It provides:
- Single sign-on across local, Internet and cloud infrastructures
- Globally unique identities via existing certificate authorities
- Decentralized authentication
- Credential delegation
- Depoyment on existing HTTPS stacks
- Multi-protocol support (i.e. not restricted to HTTP)
- Cryptographic trust validation of all parties
It is true, there are lots of authentication protocols available. Kerberos, for instance, is a widely deployed, mature protocol for local infrastructure. However, it has almost no Internet presence, mostly because identity providers are not willing to expose their Kerberos servers to the Internet. Kerberos also competes in the encryption space with SSL/TLS, the hands down winner in the web-enabled world. Lastly, Kerberos has difficulty scaling in large, flat topologies.
Outside of the enterprise context, OpenID has a large presence on the Internet. As one of the first attempts at creating a federated identity system in the Internet, it has accomplished remarkable things. However, OpenID doesn’t do single sign-on. Nor does it validate all parties in the authentication transaction, leading to problems with security/phishing. When combined with OAuth, OpenID can perform credential delegation. But implementing these protocols is quite complex, leading to bugs that compromise security. OpenID is also tightly tied with the web-based world and has gained no traction outside this environment.
The true problem arises when the local infrastructure and Internet worlds meet. If you want to use your enterprise identity on the Internet or in a cloud service, you’re pretty much out of luck. The same is mostly true with using your Internet identity in the enterprise. Thus, webSSO came about as we began to envision a world where there was no division between local, Internet and cloud infrastructures.
For more information about webSSO, check out our website where you can find the Internet Draft, a full description of the protocol and my presentation for the Cloud Identity Summit. If you happen to be at the Summit, check out the New Technology Panel in the Cascade Ballroom at 12pm Mountain Time today or look me up!