Re: Multiple campus SSO security requirements

[Chris Green <cmgreen () UAB EDU>]

You should look at Shibboleth (http://shibboleth.internet2.edu/) and
http://www.incommonfederation.org/  from I2.    One design consideration
is the minimizing the number of trusted places a user/key pair needs to
be accepted so you can reduce exposure from a rouge application.

 

The big trust issue is making sure you trust the processes and standards
the other organization asserts. 
http://www.incommonfederation.org/docs/policies/incommonpop_20080208.htm
l has the good insight into that processes. It’s also designed that you
need to trust on a peer-to-peer level that someone’s practices are good
enough to trust since identity processes are much different from place
to place.

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Stewart, Ian
Sent: Monday, November 03, 2008 12:16 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Multiple campus SSO security requirements

 

Hello,

We are considering multi-campus web-SSO system that allows an end-user
to authenticate using their home campus LDAP account or another campus
LDAP account they may hold   Has anyone implemented such a system and
how have you dealt with the trust issues between campuses that this
creates? For example, each campus may have their upfront ID-issuing or
vetting process reviewed by all the other campuses and an agreement
signed before they are allowed to participate, as in a federation.  Any
thoughts on this issue would be welcome.

Thanks,

 

:: Ian Stewart, Manager of Identity Management

:: University of Massachusetts

:: 508.856.2069 Phone

:: 508.864.0088 Mobile

:: 508.856.4844 Fax 

               :: istewart () umassp edu <mailto:istewart () umassp edu> 

 

               333 South St., Suite 400 ◦ Shrewsbury, MA 01545 ◦ 
www.massachusetts.edu <http://www.massachusetts.edu/>