Re: 3rd party want to authenticate our users

["Basgen, Brian" <bbasgen () PIMA EDU>]

 Transmitting clear-text passwords to a vendor should never be
necessary. A one way hash is all they should need, assuming your users
enter their passwords directly onto the vendor's system. Otherwise, you
should authenticate before forwarding to the vendor, or house the
service internally. 

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
 
 
 

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Oscar Knight
> Sent: Monday, March 03, 2008 7:23 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] 3rd party want to authenticate our users
>
> We have 3rd parties that have fully hosted remote 
> applications.  The applications are hosted on servers for 
> which we have no administrative access, control, or audit 
> capabilities.
>
> The 3rd parties wish to perform the initial authentication, 
> ie the part that requires our unified username and raw 
> password?  Note, the "unified" username/password is the 
> username and password our users use to get to EVERYTHING, in 
> some cases statutorily protected data.
> Of course the 3rd party will use some method to connect to 
> some database at our site to perform the authentication.  But 
> the crux of the matter is that the 3rd party has access to 
> the raw password.
>
> Comments.
>
>
> Thanks,
> odk
> -- 
> Oscar D. Knight                           knightod at appstate dot edu
> ITS                                                Voice: 828-262-6946
> Appalachian State University, Boone, NC 28608        FAX: 828-262-2236