What we essentially do here at Rutgers and its worked relatively well so far (but might change if/when we release attributes via CAS) is that we're pretty lenient with internal Rutgers applications (i.e. we may authorize an entire host, i.e. sims.rutgers.edu) whereas for external, 3rd party applications, such as the voting application, the url is much more restrictive and requires each application to be registered (so that rogue 3rd party applications can't pretend they have an RU affiliation).
-Scott -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia On Thu, Sep 18, 2008 at 1:27 PM, Tom Freestone <[EMAIL PROTECTED]>wrote: > We are will be rolling CAS 3.3 to BYU campus community in the next > month. We would like to encourage adoption by the other campus IT shops > so that BYU can reap the benefits of CAS. > > There is interest in restricting CAS using services management. As we > have looked at the problem, there seem to be a couple obvious > solutions. First, restrict all access and allow campus applications to > use CAS in a pre-registration model (eg. white list of first-class > citizens). My hesitation with a white list is there is the temptation > for our operation staff and security administrators to be heavy handed > and the pre-registration process becomes to painful to get CAS access. > BYU hasn't had any luck with pre-registration models. Also, the rule > set in white lists can become unwieldy when the rule set is large. > > On the other hand we could allow all campus application access to CAS > and black list those applications that are problems. Both techniques > have the pros and cons. I was curious of people are currently doing as > far as Service Management rules and what worked or didn't. Thanks! > > tom > > -- > > > ******************************** > Tom Freestone > ([EMAIL PROTECTED]) > Engineering > Office of Information Technology > Brigham Young University > ******************************** > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
