OpenID Connect at CSAIL

If you've been around MIT - more especially at CSAIL - for a while, you have probably become accustomed to using "web certificates" as a way to log yourself into the various Web-based applications around campus, like Atlas, Peeps, and many other popular sites. MIT adopted the use of web certificates in 1996 to allow its community a way to log into many different sites without having to remember a username and password for each site.

Fast forward a decade or so, and a new kind of central login method was adopted at MIT: Touchstone, which not only allowed users to use web certificates, but also allowed them to use their Athena username and password, or even existing Kerberos tickets (see http://kb.mit.edu/confluence/display/istcontrib/Touchstone+FAQ for more info).

Fast forward another decade, and CSAIL has begun the adoption of the next generation login system: OpenID Connect, or OIDC. MIT central campus also has a pilot program for OIDC; however, they are less motivated to get it integrated into campus applications because they already have Touchstone. CSAIL is highly motivated to roll out OIDC because in the very near future, major web browser vendors like Mozilla and Google will end support for web certificate authentication in their browsers. In fact, OIDC at CSAIL will be replacing web certificates entirely for client authentication.

On May 2, 2016 GarrettWollman gave a presentation on the situation, which was followed by an open half-hour discussion. The slides are available via the link below.

What is OpenID Connect?

There's a technical description of OIDC you can read at http://openid.net/connect/ if you want to know all the details, but in short, OIDC is a service that we run at CSAIL on our own servers that allows you to authenticate to services like WebDNS, DHREG, the CSAIL website, and many more, by using your CSAIL Kerberos account.

The short video below shows how you would interact with OpenID Connect to authenticate to a CSAIL website (https://webdns-new.csail.mit.edu - note that this is a testing system and is not currently meant for production use).

You'll notice that the following happens in the video above:

That's pretty much all you need to do on a day to day basis. Note that you will no longer need to obtain certificates every year or worry about which one(s) you have in your browser. You can also use pretty much all the modern browsers.

Configuring browsers to use Kerberos

If you're on a system where you regularly get CSAIL Kerberos tickets already -- like a CSAIL Ubuntu workstation -- then you may find it convenient to use your existing tickets to log in to oidc.csail.mit.edu.

Firefox

Firefox supports this out of the box, but it requires a bit of extra configuration. You'll need to go to about:config (if you haven't done this before, Firefox will ask you if you really want to) and set the preference network.negotiate-auth.trusted-uris to .csail.mit.edu as shown in the example below: firefox-negotiate.png

If your system is particularly weird, you might also have to set network.negotiate-auth.using-native-gsslib and/or network.negotiate-auth.gsslib -- ask TIG to help you with these settings if just setting trusted-uris doesn't work.

Note: We haven't found a way to make Firefox use Kerberos on Windows reliably. The procedure described above works for Firefox on other operating systems with official Firefox binary packages.

Safari

Whether Safari supports Kerberos authentication depends on the version of macOS and Safari you have. Kerberos login to OIDC has been confirmed to work automatically in Safari 10.1 on Yosemite and newer macOS releases, with no special configuration.

Chromium/Google Chrome

As with Firefox, Chrome requires that domains be explicitly permitted to use Kerberos authentication. Furthermore, on Windows, Chrome uses the system SSPI libraries and not the MIT Kerberos for Windows or AuriStor? Heimdal libraries which you may already have installed. How to configure Chrome policies unfortunately also varies across the three platforms.

Internet Explorer and Edge

We haven't tried this yet, and we're not sure that it will work at all unless you are using a machine joined to the AD.CSAIL.MIT.EDU Windows domain.

-- MarkPearrow - 19 May 2017

-- GarrettWollman - 05 Oct 2017
Topic attachments
I Attachment Action Size Date Who Comment
May_2_OIDC_presentation.key.pdfpdf May_2_OIDC_presentation.key.pdf manage 129.4 K 02 May 2016 - 21:29 GarrettWollman slides from 2016-05-02 presentation
firefox-negotiate.pngpng firefox-negotiate.png manage 28.9 K 05 Oct 2017 - 02:46 GarrettWollman Screenshot of Firefox about:config settings for Kerberos authentication
Topic revision: 11 Dec 2017, JasonDorfman
 

MIT Computer Science and Artificial Intelligence Laboratory

 

  • About CSAIL
  • Research
  • News + Events
  • Resources
  • People

This site is powered by Foswiki MIT: Massachusetts Institute of Technology