Educause Security Discussion mailing list archives

Re: 3rd party want to authenticate our users

From: Morrow Long <morrow.long () YALE EDU>
Date: Fri, 7 Mar 2008 18:08:56 -0500

Oscar Knight wrote:

We have 3rd parties that have fully hosted remote applications.  The
applications are hosted on servers for which we have no administrative
access, control, or audit capabilities.
The 3rd parties wish to perform the initial authentication, ie the
part
that requires our unified username and raw password?  Note, the
"unified" username/password is the username and password our users use
to get to EVERYTHING, in some cases statutorily protected data.
Of course the 3rd party will use some method to connect to some
database
at our site to perform the authentication.  But the crux of the matter
is that the 3rd party has access to the raw password.


Disclaimer:  I work at Yale University and CAS was created at Yale, it
is now a project of the Java Architecture Special Interest Group (JA-
SIG) under the BSD license.

CAS (Central Authentication Service) may suit the needs in your case.

It is primarily used for web applications and Yale has adopted CAS as
the primary form of authentication for any web-based services that
Yale provides.

Many vendors have "CASified" their web applications for us as well as
for many of the other institutions running CAS.
CASifying web apps can usually be done fairly easily.  It is also
compliant and compatible with many standards.

The current home of CAS:                http://www.ja-sig.org/products/cas/

Text from the home page:

Welcome to the home of the JA-SIG Central Authentication Service. CAS
provides enterprise single sign on service:
CAS Downloads

    * An open and well-documented protocol
    * An open-source Java server component
    * A library of clients for Java, .Net, PHP, Perl, Apache,
uPortal, and others
    * Integrates with uPortal, BlueSocket, TikiWiki, Mule, Liferay,
Moodle and others
    * Community documentation and implementation support
    * An extensive community of adopters
--
H. Morrow Long
University Information Security Officer
Director -  Information Security Office

Attachment: smime.p7s
Description:

Current thread:

3rd party want to authenticate our users Oscar Knight (Mar 03)
- <Possible follow-ups>
- Re: 3rd party want to authenticate our users Sealey, Adam L. (Mar 03)
- Re: 3rd party want to authenticate our users Wood, Anne M (wood) (Mar 03)
- Re: 3rd party want to authenticate our users Joel Rosenblatt (Mar 03)
- Re: 3rd party want to authenticate our users Greg Vickers (Mar 04)
- Re: 3rd party want to authenticate our users Basgen, Brian (Mar 07)
- Re: 3rd party want to authenticate our users Morrow Long (Mar 07)