We're putting together a steering committee as part of our larger Identity Management project to handle granting access to service providers. The committe consists of reps from the faculty and the data owners (Registrar's Office, HR, etc). Before they are allowed to use the production CAS server or query our LDAP server for data, the service provider will have to request access from the committee and fill out a document explaining why they need access, what attributes they need and how they plan on protecting the data they receive. We plan on reviewing these agreements annually to make sure everything stays up-to-date.
-Eric On Wed, Aug 27, 2008 at 4:56 PM, Andrew Feller <[EMAIL PROTECTED]> wrote: > *NOTE: This is a discussion thread of policies related to SSO and not a > question > * > In my discussions within my organization about SSO and how it relates to > the applications we provide to the university, there has been a major policy > question that is still being skirted: whether applications not supported by > the university's IT staff can use the CAS cluster established for > applications supported by the IT staff including applications managed by > individual departments / units and third-party vendors. > > The difficulty of the question is due to multiple factors / worries: > > *1.) Ensuring participating applications behave according to the policies > established > * > Since CAS is the SSO solution for all applications supported by the > university's IT staff and all supported applications are part of our portal, > then users sign out of the portal as a whole rather than individual > applications. There are concerns about applications signing users out of > CAS prematurely as well as applications only signing users out locally > rather than through CAS. > > *2.) Preventing dubious parties from obtaining users' information > * > In the past, we have had some departments / units create a mock-up of our > portal's login page where they were taking users' credentials, logging them > into the portal, and caching off the credentials. This is a blatant abuse > of IT services that was quickly dealt with. I realize that CAS 3.1 and > higher offer the service management feature that allows administrators to > determine which services can use SSO, so that should prevent unauthorized > use. > > As CAS deployers within your respective organizations especially > universities, have you encountered similar policy worries? Has there been > other policy worries that you have encountered that might be helpful for > others to learn from? > > Thanks, > Andrew > > Andrew R. Feller, Analyst > Information Technology Services > 200 Fred Frey Building > Louisiana State University > Baton Rouge, LA 70803 > (225) 578-3737 (Office) > (225) 578-6400 (Fax) > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > -- Eric Pierce, RHCE -- University of South Florida -- (813) 974-8868 -- [EMAIL PROTECTED]
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
