IDfusion An Open-Architecture for Kerberos based Authorization

Since its initial development Kerberos has evolved to become the widely accepted system for implementing centralized authentication services. During this time the Lightweight Directory Access Protocol (LDAP) has become the accepted method for the centralized distribution of identity information. Organizations increasingly deploy both infra-structural components in order to support management of distributed information delivery systems. During this evolution no standardized scheme for authorization has emerged. Industry consensus suggests that LDAP is the protocol of choice for storing extended information needed to make authorization decisions. Despite this consensus no standardized scheme has evolved for implementing directory based authorization. This paper discusses a strategy for using the symmetric key management facilities of Kerberos to implement directory based authorization. The system is architected to provide inherent security in the event of a directory compromise. The system offers the management advantages of role based access systems while providing the option for fine grained authorization control. The identity based authorization model uses a service oriented approach to managing authorization. As such it is consistent with and supportive of the trend toward services oriented application architectures.