SECURe Documentation: Definitions

Institutional Directory

The institutional directory should:

Be LDAP based;
Contain details of institutional members (staff, students, and possibly alumni and temporary staff and students);
Have data in an eduPerson schema (if a resource sharing authorisation system is to be used).

For the requirements of the SECURe system, all the details should be on one directory server. Most modern email systems have an associated directory server, which may need special configuration to be activated, and most will not include the eduPerson schema by default.

Single Sign On Authentication System

By Single Sign On, we mean the ability to authenticate once to a Web resource protected by the system, and have the authentication passed on to some other Web resource also protected by the system. The requirements for such a system in this context are:

Installable in an Apache web server in such a way that standard controls ("Require valid-user" directives) in the server configuration or .htaccess files can be used to require authentication via the system. This means that basic authentication and mod_ldap are not appropriate technologies here.
The system can be configured to use the institutional directory for authentication

A listing of appropriate technologies can be found on the Internet2 Web Initial Sign On page.

top of page

Resource Sharing System

By resource sharing system, we mean technology to enable the sharing of (web and possibly other) resources between institutions in a trusted manner - accepting the authenticated users from another institution without interposing a new authentication challenge.

This differs from a single sign on system, which would not necessarily be able to pass credentials (or, more securely, anonymised security assertions) to other systems outside the institution.

top of page

Document last updated: 28/02/04