Educause Security Discussion mailing list archives

Re: 3rd party want to authenticate our users

From: "Wood, Anne M (wood)" <wood () JUNIATA EDU>
Date: Mon, 3 Mar 2008 09:59:32 -0500

We too are currently looking at this due to the Dreamsparks and iTunes U initiatives.  Shibboleth is on our radar, but 
we have not dove in yet.

Is anyone else concerned about the security implications of providing this?  Can anyone offer any advice or perspective 
on Shibboleth and its security?

Anne Wood
Director of Campus Network and Security
Juniata College
Huntingdon, PA

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sealey, 
Adam L.
Sent: Monday, March 03, 2008 9:49 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] 3rd party want to authenticate our users

You might take a look at Shibboleth.  It's a federated identity solution
where you still own all the credentials (you still do the "Password
Stuff"), and the service provider just provides the service.  We haven't
yet gotten it fully operation on our campus, but I know there are other
Higher Education places that are leading the way (A&M, UT, Ohio
State...).

http://shibboleth.internet2.edu/

Adam

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Oscar Knight
Sent: Monday, March 03, 2008 8:23 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] 3rd party want to authenticate our users

We have 3rd parties that have fully hosted remote applications.  The
applications are hosted on servers for which we have no administrative
access, control, or audit capabilities.

The 3rd parties wish to perform the initial authentication, ie the part
that requires our unified username and raw password?  Note, the
"unified" username/password is the username and password our users use
to get to EVERYTHING, in some cases statutorily protected data.
Of course the 3rd party will use some method to connect to some database
at our site to perform the authentication.  But the crux of the matter
is that the 3rd party has access to the raw password.

Comments.


Thanks,
odk
--
Oscar D. Knight                           knightod at appstate dot edu
ITS                                                Voice: 828-262-6946
Appalachian State University, Boone, NC 28608        FAX: 828-262-2236

Current thread:

3rd party want to authenticate our users Oscar Knight (Mar 03)
- <Possible follow-ups>
- Re: 3rd party want to authenticate our users Sealey, Adam L. (Mar 03)
- Re: 3rd party want to authenticate our users Wood, Anne M (wood) (Mar 03)
- Re: 3rd party want to authenticate our users Joel Rosenblatt (Mar 03)
- Re: 3rd party want to authenticate our users Greg Vickers (Mar 04)
- Re: 3rd party want to authenticate our users Basgen, Brian (Mar 07)
- Re: 3rd party want to authenticate our users Morrow Long (Mar 07)