Eric, Thank you for the response!
When you say that you are putting together a steering committee, I take it that the policy you have described is not official policy yet? Is USF using the Service Management feature of CAS to handle white / black listing services from using CAS? Have there been any other interesting policy discussions in relation to single sign on and IDM? Thanks, Andrew On 8/27/08 5:15 PM, "Eric Pierce" <[EMAIL PROTECTED]> wrote: > We're putting together a steering committee as part of our larger Identity > Management project to handle granting access to service providers. The > committe consists of reps from the faculty and the data owners (Registrar's > Office, HR, etc). Before they are allowed to use the production CAS server or > query our LDAP server for data, the service provider will have to request > access from the committee and fill out a document explaining why they need > access, what attributes they need and how they plan on protecting the data > they receive. We plan on reviewing these agreements annually to make sure > everything stays up-to-date. > > -Eric > > On Wed, Aug 27, 2008 at 4:56 PM, Andrew Feller <[EMAIL PROTECTED]> wrote: >> NOTE: This is a discussion thread of policies related to SSO and not a >> question >> >> In my discussions within my organization about SSO and how it relates to the >> applications we provide to the university, there has been a major policy >> question that is still being skirted: whether applications not supported by >> the university's IT staff can use the CAS cluster established for >> applications supported by the IT staff including applications managed by >> individual departments / units and third-party vendors. >> >> The difficulty of the question is due to multiple factors / worries: >> >> 1.) Ensuring participating applications behave according to the policies >> established >> >> Since CAS is the SSO solution for all applications supported by the >> university's IT staff and all supported applications are part of our portal, >> then users sign out of the portal as a whole rather than individual >> applications. There are concerns about applications signing users out of CAS >> prematurely as well as applications only signing users out locally rather >> than through CAS. >> >> 2.) Preventing dubious parties from obtaining users' information >> >> In the past, we have had some departments / units create a mock-up of our >> portal's login page where they were taking users' credentials, logging them >> into the portal, and caching off the credentials. This is a blatant abuse of >> IT services that was quickly dealt with. I realize that CAS 3.1 and higher >> offer the service management feature that allows administrators to determine >> which services can use SSO, so that should prevent unauthorized use. >> >> As CAS deployers within your respective organizations especially >> universities, have you encountered similar policy worries? Has there been >> other policy worries that you have encountered that might be helpful for >> others to learn from? >> >> Thanks, >> Andrew >> >> Andrew R. Feller, Analyst >> Information Technology Services >> 200 Fred Frey Building >> Louisiana State University >> Baton Rouge, LA 70803 >> (225) 578-3737 (Office) >> (225) 578-6400 (Fax) >> >> _______________________________________________ >> Yale CAS mailing list >> [email protected] >> http://tp.its.yale.edu/mailman/listinfo/cas >> > >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
