Re: higher education "best practices" for authenticating to campus IT resources

[Theresa Rowe <rowe () OAKLAND EDU>]

I hope we can have an updated discussion about this.  We've been having a
campus discussion just in recent weeks.

We accept our Banner systems as providing the level of assurance for proving
identification.  When a person (student, faculty, staff) is entered into
Banner, a person-ID number (GrizzlyID) is randomly generated, and a random
pin is generated.  These credentials can be used to log into only Banner
Self-Service, which we are trying to "phase out" and keep only for portal
disaster recovery purposes.

The Banner G-ID and Pin, both randomly generated and private, are used to
establish NetID and password.  The NetID and password are recorded in our
LDAP environment, which is the source of single-signon to many campus
resources:  network, portal, and email / elearning systems like Moodle and
Elluminate, emergency notification system, our file storage system in
Xythos, library systems, etc.

We still have a couple systems off-campus - TouchNet for credit card payment
and PeopleAdmin for human resource job functions, for example - where we
cannot tie the system into our LDAP directory, so different logins are
used.  We've found integration with vendors problematic, although we have a
very workable solution with SAML and our Google mail environment using our
LDAP directory.

We have file and print services that require domain access and that requires
a different ID and password, authenticated in Active Directory.  Our plan is
to integrate LDAP and AD, but the project is likely going to take us a
couple years (and a domain consolidation).

Like to hear from others -

Theresa Rowe

On Tue, Oct 6, 2009 at 3:48 PM, Daniel Bennett <dbennett () pct edu> wrote:

> Hello All,
>
> Currently, we are trying to answer the following questions to sort of
> benchmark higher education "best practices" for authenticating to campus IT
> resources:
>
> 1.      Does your institution provide separate usernames and passwords for
> critical and non-critical information systems (multiple authentication
> systems)?
>
> If no, to the above question:
>
> 2.      Does your authentication system also provide single sign-on to all
> campus information systems?  An example, the Director of Financial
> Operations logs into his/her workstation and once logged in he/she can
> access all other campus applications without providing the username/password
> again, through some sort of single sign-in infrastructure.
>
> Thanks,
>
> Daniel Bennett
> IT Security Analyst
> Pennsylvania College of Technology
> One College Ave
> Williamsport PA, 17701
> 570.329.4989



--
Theresa Rowe
Chief Information Officer
Oakland University
**Think Green - Think before you print.**