Educause Security Discussion mailing list archives
Re: single sign-on strategies
From: "Bruhn, Mark S." <mbruhn () INDIANA EDU>
Date: Mon, 23 Feb 2004 11:54:12 -0500
We use Yale/CAS (heavily modified) for authenticating access to our Portal (and many enterprise applications). IU-CAS supports various levels of credentials, including "shallow" (low authorization) credentials that ONLY permit access to generic portal channels, through password token as a second factor authentication on some administrative systems. So, someone could log into the Portal and only supply a guest credential and then couldn't access anything beyond generic stuff. Or, someone could log into the Portal with their University Id and password and also authenticate at that point with the token, meaning they wouldn't have to do it again for applications that require that level of authn ("sticky authn"). or, they can log into the Portal and do password only initially, and when they access an application that requires token, they get promted at that point to do that (and it's still "sticky"). The IU portal is at http://onestart.iu.edu. If you go there, you can see the checkbox to the upper left that says "Login with SafeWord." Safeword is our generic term for the tokens we use. You can also see there where someone can create a "guest" account. And, you can see where IU people can activate their own accounts. M. -- Mark S. Bruhn, CISSP, CISM Chief IT Security and Policy Officer Associate Director, Center for Applied Cybersecurity Research (http://cacr.iu.edu) Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos about OVPIT/UITS services: itombuds () iu edu -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Craig Blaha Sent: Friday, January 30, 2004 8:41 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] single sign-on strategies The College of New Jersey is in the process of developing our single sign-on strategy as we prepare to integrate our first enterprise application - HRMS - into our portal. We are considering using a partial single sign-on strategy: a user logs into what I'm calling the "casual" portal which gives them access to the news, their e-mail, navigation and (perhaps) self-service. If the user tries to access an administrative screen of an enterprise application such as HR or Finance, they are prompted to re-enter their password. The enterprise applications would each have their own time out, and username/password would be handled by LDAP. The goal is to strike a balance between security and ease of use that is closer to the secure side of the continuum than a true SSO solution. Has anyone else done this or something similar? I would be interested in any thoughts/lessons learned. Sincerely, Craig Blaha -- *Craig Blaha* /Associate Director Information Policy, Security and Web Development/ The College of New Jersey PO Box 7718 Ewing, NJ 08628 www.tcnj.edu -------------------------------------------------------------- Reminder: E-mail sent through the Internet is not secure. Do not use e-mail to send confidential information such as credit card numbers, changes of address, PIN numbers, passwords, or other important information. Your e-mail message is not private in that it is subject to review by the College, its officers, agents and employees. -------------------------------------------------------------- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- single sign-on strategies Craig Blaha (Jan 30)
- <Possible follow-ups>
- Re: single sign-on strategies Herrera Reyna Omar (Jan 30)
- Re: single sign-on strategies Bruhn, Mark S. (Feb 23)