NOTE: This is a discussion thread of policies related to SSO and not a question
In my discussions within my organization about SSO and how it relates to the applications we provide to the university, there has been a major policy question that is still being skirted: whether applications not supported by the university¹s IT staff can use the CAS cluster established for applications supported by the IT staff including applications managed by individual departments / units and third-party vendors. The difficulty of the question is due to multiple factors / worries: 1.) Ensuring participating applications behave according to the policies established Since CAS is the SSO solution for all applications supported by the university¹s IT staff and all supported applications are part of our portal, then users sign out of the portal as a whole rather than individual applications. There are concerns about applications signing users out of CAS prematurely as well as applications only signing users out locally rather than through CAS. 2.) Preventing dubious parties from obtaining users¹ information In the past, we have had some departments / units create a mock-up of our portal¹s login page where they were taking users¹ credentials, logging them into the portal, and caching off the credentials. This is a blatant abuse of IT services that was quickly dealt with. I realize that CAS 3.1 and higher offer the service management feature that allows administrators to determine which services can use SSO, so that should prevent unauthorized use. As CAS deployers within your respective organizations especially universities, have you encountered similar policy worries? Has there been other policy worries that you have encountered that might be helpful for others to learn from? Thanks, Andrew Andrew R. Feller, Analyst Information Technology Services 200 Fred Frey Building Louisiana State University Baton Rouge, LA 70803 (225) 578-3737 (Office) (225) 578-6400 (Fax)
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
