Re: single sign-on strategies

["Bruhn, Mark S." <mbruhn () INDIANA EDU>]

We use Yale/CAS (heavily modified) for authenticating access to our
Portal (and many enterprise applications).  

IU-CAS supports various levels of credentials, including "shallow" (low
authorization) credentials that ONLY  permit access to generic portal
channels, through password token as a second factor authentication on
some administrative systems.

So, someone could log into the Portal and only supply a guest credential
and then couldn't access anything beyond generic stuff.  Or, someone
could log into the Portal with their University Id and password and also
authenticate at that point with the token, meaning they wouldn't have to
do it again for applications that require that level of authn ("sticky
authn").  or, they can log into the Portal and do password only
initially, and when they access an application that requires token, they
get promted at that point to do that (and it's still "sticky").

The IU portal is at http://onestart.iu.edu.  If you go there, you can
see the checkbox to the upper left that says "Login with SafeWord."
Safeword is our generic term for the tokens we use.  You can also see
there where someone can create a "guest" account.  And, you can see
where IU people can activate their own accounts.

M. 

-- 
Mark S. Bruhn, CISSP, CISM

Chief IT Security and Policy Officer
Associate Director, Center for Applied Cybersecurity Research
(http://cacr.iu.edu)

Office of the Vice President for Information Technology and CIO
Indiana University
812-855-0326

Incidents involving IU IT resources: it-incident () iu edu
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu




-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Craig Blaha
Sent: Friday, January 30, 2004 8:41 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] single sign-on strategies


The College of New Jersey is in the process of developing our single
sign-on strategy as we prepare to integrate our first enterprise
application - HRMS - into our portal.

We are considering using a partial single sign-on strategy: a user logs
into what I'm calling the "casual" portal which gives them access to the
news, their e-mail, navigation and (perhaps) self-service. If the user
tries to access an administrative screen of an enterprise application
such as HR or Finance, they are prompted to re-enter their password. The
enterprise applications would each have their own time out, and
username/password would be handled by LDAP.

The goal is to strike a balance between security and ease of use that is
closer to the secure side of the continuum than a true SSO solution.

Has anyone else done this or something similar? I would be interested in
any thoughts/lessons learned.

Sincerely,
Craig Blaha
--

    *Craig Blaha*
    /Associate Director
    Information Policy, Security and Web Development/
    The College of New Jersey
    PO Box 7718
    Ewing, NJ 08628
    www.tcnj.edu

--------------------------------------------------------------
Reminder: E-mail sent through the Internet is not secure.
Do not use e-mail to send confidential information
such as credit card numbers, changes of address, PIN
numbers, passwords, or other important information.
Your e-mail message is not private in
that it is subject to review by the College, its officers,
agents and employees.
--------------------------------------------------------------

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.