On Wed, Aug 27, 2008 at 8:41 PM, Andrew Feller <[EMAIL PROTECTED]> wrote:
> Eric, > > Thank you for the response! > > When you say that you are putting together a steering committee, I take it > that the policy you have described is not official policy yet? > Correct. The details are still being worked out, but we plan on making it an official policy in the next 6-8 months. Is USF using the Service Management feature of CAS to handle white / black listing services from using CAS? Have there been any other interesting policy discussions in relation to single sign on and IDM? Yes, we're using CAS's Service Management system to control access. The biggest policy problem we've had so far is that once departments find out how easy it is to query for data from LDAP, they want access to *everything*, whether they have an actual need to see the data or not. SSO is pretty new here and it's mostly confined to services that the central IT group manages, so we haven't seen a lot of issues with it yet, but I have a feling that will change over the next few months as we increase the number of services connecting to it. -Eric > > > Thanks, > Andrew > > > > On 8/27/08 5:15 PM, "Eric Pierce" <[EMAIL PROTECTED]> wrote: > > We're putting together a steering committee as part of our larger Identity > Management project to handle granting access to service providers. The > committe consists of reps from the faculty and the data owners (Registrar's > Office, HR, etc). Before they are allowed to use the production CAS server > or query our LDAP server for data, the service provider will have to request > access from the committee and fill out a document explaining why they need > access, what attributes they need and how they plan on protecting the data > they receive. We plan on reviewing these agreements annually to make sure > everything stays up-to-date. > > -Eric > > On Wed, Aug 27, 2008 at 4:56 PM, Andrew Feller <[EMAIL PROTECTED]> wrote: > > *NOTE: This is a discussion thread of policies related to SSO and not a > question > * > In my discussions within my organization about SSO and how it relates to > the applications we provide to the university, there has been a major policy > question that is still being skirted: whether applications not supported by > the university's IT staff can use the CAS cluster established for > applications supported by the IT staff including applications managed by > individual departments / units and third-party vendors. > > The difficulty of the question is due to multiple factors / worries: > > *1.) Ensuring participating applications behave according to the policies > established > * > Since CAS is the SSO solution for all applications supported by the > university's IT staff and all supported applications are part of our portal, > then users sign out of the portal as a whole rather than individual > applications. There are concerns about applications signing users out of > CAS prematurely as well as applications only signing users out locally > rather than through CAS. > > *2.) Preventing dubious parties from obtaining users' information > * > In the past, we have had some departments / units create a mock-up of our > portal's login page where they were taking users' credentials, logging them > into the portal, and caching off the credentials. This is a blatant abuse > of IT services that was quickly dealt with. I realize that CAS 3.1 and > higher offer the service management feature that allows administrators to > determine which services can use SSO, so that should prevent unauthorized > use. > > As CAS deployers within your respective organizations especially > universities, have you encountered similar policy worries? Has there been > other policy worries that you have encountered that might be helpful for > others to learn from? > > Thanks, > Andrew > > Andrew R. Feller, Analyst > Information Technology Services > 200 Fred Frey Building > Louisiana State University > Baton Rouge, LA 70803 > (225) 578-3737 (Office) > (225) 578-6400 (Fax) > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > -- Eric Pierce, RHCE -- University of South Florida -- (813) 974-8868 -- [EMAIL PROTECTED]
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
