cosign-discuss at umich.edu
general discussion of cosign development and deployment
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: friend functionality
On Mon, 29 Mar 2004, Darren Jacobs wrote:
> Don't have a lot of experience with webiso systems (yet <g> ) so please
> excuse me if my question is a bit basic...what exactly does the friend
> functionality of Cosign give you?
Let me take a shot at this with the hopes that someone will correct
me if I get anything wrong. Disclaimer: I work for the College
of Literature, Science, and the Arts here at the UofM, not on the
team that developed cosign.
Essentially, Friend allows arbitrary people to create their own
"accounts" for use with the cosign WebISO infrastructure. If you
have Friend enabled, then a random person, for example, Joe User
at the University of Maryland (joeuser@xxxxxxx) can create themselves
a Friend account at the University of Toronto. The can then
authenticate to your cosign servers as joeuser@xxxxxxx -- the
"@umd.edu" shows that they are a Friend and not a local user.
How useful this is depends on how you set up your cosign-protected
web services -- there are many possibilities. The simplest
example is that a professor member could restrict a certain
document in their web space so that only joeuser@xxxxxxx can
read it (the restriction is via an .htaccess file containing
a directive "require joeuser@xxxxxxx" or by other means). The
web server and cosign will then enforce this access control.
The beauty of this is that it makes the task easy both on the
professor and on his colleague Joe -- the professor does not have
to deal with setting up an account for Joe or giving Joe a
password, and Joe signs himself up for Friend in the same way
he is already used to doing with Yahoo and many other free
web services. A more complicated example would be allowing
prospective graduate students to create and manage their own
accounts for tracking the status of their application for
adminission over the web.
It is important to keep in mind that Friend allows you to say
very little about the identity of the person who is authenticating.
Essentially, all you know is that the person has access to email
sent to the Friend username (in this example, that the person
who is accessing the professor's restricted file is the same
person who reads mail sent to joeuser@xxxxxxx). cosign and
shibboleth can be used together to provide a stronger statement
about identity than cosign and friend together can.
LS&A Information Technology
The University of Michigan