MIT Touchstone authentication system
What you’ll find on this page:
Overview
Obtaining an account
Using MIT Touchstone
cookies
javascript
Changing your default account provider selection
Changing your default authentication mechanism (MIT users)
logout
looping, or being stuck at the "Redirecting to requested site" page
Troubleshooting Touchstone Collaboration Account Access
Testing your access
Touchstone enabled applications
Touchstone Fequently Asked Questions
Touchstone for web application developers and system adminisrators
Touchstone general support resources
Overview
Information Services and Technology (IS&T) operates MIT Touchstone as a web authentication service for the MIT community and beyond. MIT Touchstone provides a federated authentication approach using Shibboleth in conjunction with other components. The service enables MIT users to authenticate to enabled systems both on campus and off.
People with an MIT Kerberos username, or an MIT X.509 certificate can simply use their normal account to securely authenticate to any of the MIT applications supporting MIT Touchstone. MIT users can also use their normal account to securely authenticate to a growing number of off-campus applications.
People that do not have an MIT Kerberos account or MIT X.509 certificate can also authenticate to MIT Touchstone enabled applications. They can do so by self-registering for a Collaboration Account, or if the person has an account with a member of the InCommon Federation, they may be able to authenticate using their account from their own university, company, or agency.
In all cases, when using MIT Touchstone, a user's password will never be passed to a web application using the system. When a person starts using an enabled application, the person will reach a point where the application requires the user to authentication. Typically the application will display a login button. When a person is going to login, the application does not prompt for a username and password, instead the user's browser will be temporarily redirected to a secure login server. The login server that will be used by people with an MIT Kerberos account or MIT certificate is operated by the same group responsible for operating the MIT Kerberos infrastructure.
Since MIT Touchstone enabled applications support authentication via a number of account providers, not just MIT, users may also be redirected to page that allows them to select which account provider he or she will use to authenticate. Once users are familiar with making this choice, they can save the choice as a user preference, using a check box on the page where they make account provider selection.
- A further introduction to MIT Touchstone.
Obtaining an Account
MIT students, staff, and faculty members should not need to obtain a new account. Instead you will simply use your existing MIT Kerberos username, or MIT X.509 certificate.
- New MIT students, staff, faculty, and affiliates may wish to look at Getting a Kerberos (Athena) Account. An MIT Kerberos account is required for systems that expect a direct MIT association in order to grant authorizations.
- For people that are not MIT students, staff, faculty or already affiliated with MIT: Getting a Collaboration Account hosted at TouchstoneNetwork. This provides self-registration accounts for access to MIT Touchstone enabled applications
- If you are not an MIT student, staff, or faculty member, you should check to see if you already have an account with a member of the InCommon Federation by checking the list of InCommon Federation participants.
Using MIT Touchstone
Default browser settings should not prevent anyone from using MIT Touchstone for authentication. However, there are various optional settings that can affect the usability of Touchstone and Shibboleth. This page also provides some guidance on how to recover from previous choices or selections.
The use of cookies
Shibboleth, and hence MIT Touchstone, requires the use of browser cookies. If cookies have been disabled in the browser an error will result when attempting to use MIT Touchstone enabled applications. To re-enable cookies within your browser you should consult your browser's documentation.
The site associated with the cookies will depend on which identity provider, or account provider, you are using.
The use of javascript
Although MIT Touchstone assumes Javascript is enabled, and uses it, it is still possible to authenticate if you do not have Javascript enabled. Instead of being automatically redirected back to the application that you are trying to access, you will have to use a button to complete a form post.
Note that some applications that use MIT Touchstone or Shibboleth for authentication may have their own internal requirements that require Javascript in order for the application to work.
Changing your default account provider selection
Most Touchstone enabled applications support authentications from more than one account provider, or identity provider. For example an application might accept authentications from the MIT account system and TouchstoneNetwork and Stanford University's system. Because of this added complexity, users must indicate which account provider they will be using to authenticate. The MIT server which lets users make the account provider selection also lets users save the choice as a default preference within their browser via a cookie. This means that subsequent to saving the preference, the user might not see any prompts from that server for extended periods of time. For example 100 days.
Since a user's browser will no longer present the screen offering a choice, users need a way to easily modify their choice. Of course a user could delete the appropriate cookie in their browser, however we also provide an easier method. Visit http://wayf.mit.edu to eliminate the saved preference of the account provider. The same URL may also be used to make a new persistent selection, independent of using a Touchstone enabled application.
Note: there are some MIT applications which don't support multiple identity providers, instead they always use the MIT identity provider. Changing the settings via http://wayf.mit.edu/WAYF will have no effect on those applications.
Changing your default authentication mechanism selection (MIT users)
People with an MIT Kerberos name and/or MIT X.509 certificate, can choose a default authentication mechanism, which will persist across browser sessions. This can be very useful since users with a certificate in their browser can choose a configuration that will transparently authenticate them to Touchstone enabled applications, thus reducing the number of actions the user must perform. People using managed desktop systems such as Athena or WIN.mit.edu can also choose to use their existing Kerberos tickets to transparently authenticate them to enabled applications. However, there may be times when a person wishes to change the browser behavior.
People with an MIT Kerberos username and/or MIT X.509 certificate can test and reset their authentication mechanisms.
Logout
The most effective and secure way to log out of a Touchstone enabled application is to close the browser.
Some applications also provide a logout capability. However, since Touchstone (Shibboleth) provide a single sign-on capability across enabled applications, the user is rarely logged out in a way that would prevent someone from clicking on the login button once again, and gaining access without being prompted in anyway.
Shibboleth 2.x and a future version of Touchstone, will provide a method of initiating a logout from an application that will affect all other logged in applications, and the user's authentication to the identity provider. However, since MIT supports authentication mechanisms that do not require prompting for a user's password (such as using an existing Kerberos TGT, or using an MIT X.509 certificate) the actual behavior that will result subsequent to logging out is highly dependent on the configuration of the user's machine, and the user's preferences. In short, "The most effective and secure way to log out of a Touchstone enabled application is to close the browser."
Looping, or being stuck at the "Redirecting to requested site" page
Once in while a user reports that the browser gets stuck at the page "redirecting to requested site" page, or the browser constantly recycles to redisplay that page. This is usually due to a combination of two factors. First, the web application is configured to allow authenticated traffic to use http instead of https. The second contributing factor is a web proxy external to MIT that causes a different IP address to be used each time the browser makes a new connection.
People seeing this problem should first try to reconnect using https instead of http. If that does resolve the problem, inform the help desk or people responsible for the application that they should fix their web server's configuration. You can tell them to Google for ShibRedirectToSSL. Of course you can always contact touchstone-support and let us know the name of the offending application and the URL that you attempted to access. We will relay the information to the application maintainers.
If using https does not resolve the problem. Please do contact touchstone-support and don't forget to include the URL that you were first attempting to access when you encountered the problem.
Back To TopTroubleshooting Touchstone Collaboration Account Access
If you have any trouble accessing Your Account, please email touchstone-support@mit.edu.
-
You never received the confirmation email for your Touchstone Collaboration Account.
Check your spam folder/filter - since this is an automated email, spam filters will sometimes mistake it for spam. -
You forgot your collaboration account password.
Use the Touchstone password request form. -
You want to logout, but you can't find a logout button.
You must close your browser to securely logout of Your Account. -
You are immediately prompted to enter your Collaboration Account username/password (and you want to use Kerberos/certificates), or you are prompted to
log in with Kerberos/certificates (and you want to use a Collaboration Account).
Your computer somehow has the cookie set to bypass the inital type of login you want to do (this is a nice feature if it is set correctly!). To reset your selection, go to the Account Provider Selection screen and click on the reset button (screenshot below).
After you click the reset button, you will be brought to a screen that lets you set a different default. If you don't want to choose a permanent default, simply navigate away from this page and try logging into your favorite Touchstone enabled application again. You may need to close and restart your browser. -
You aren't sure your Touchstone Collaboration Account is working.
You can always test to see if your Touchstone Collaboration Account is working. If you successfully log in to that test, but you can't get access to your Touchstone enabled application, email computing-help@mit.edu for help. Please tell the help desk which application URL you are trying to access.
Back To Top
Testing your access
A very simple application to test that you are able to use MIT Touchstone.
Another test application. This one demonstrates the selection of the account provider, and upon success shows information about you that the logon server has released to the test application. This application primarily serves as a demonstration to application developers about some of the capabilities. It is not expected to be particularly useful to most users.
Back To TopTouchstone enabled applications
Touchstone enabled applications provides information about which internal and external applications support using MIT Touchstone, Shibboleth, or Collaboration Accounts for authentcation. This page will also indicate what information about a user is being released to each application.
Back To TopFrequently Asked Questions
Back To TopTouchstone for web application developers and system adminisrators
IS&T provides consulting services for MIT developers, system administrators, departments, labs and centers wishing to add MIT Touchstone support to their systems and web applications. Request Consult
Web application developers and system administrators wishing to dive right in should look at the installation and configuration guide.
Back To TopTouchstone general support resources
Training:
No training is available from IS&T at this time. During IAP, sessions for web application developers and system administrators will normally be scheduled. Check the IAP schedule or here for more information around the time of IAP.
Who to Contact:
Web: Computing Help Desk
Email: computing-help@mit.edu
Phone: 617.253.1101
Related Links
Collaboration Accounts hosted at MIT
MIT Touchstone Integration Consulting
MIT Touchstone FAQ
Hermes: Touchstone
Glossary
LDAP at MIT
(Account Administrator interface to Collaboration Accounts) - not applicable to general population.
The InCommon Federation
- MIT Participant Operations Practices (POP)
- TouchstoneNetwork.net Participant Operations Practices (POP)
