Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Multiple campus SSO security requirements
From: Steven Carmody <Steven_Carmody () BROWN EDU>
Date: Tue, 4 Nov 2008 09:14:39 -0400

At 1:15 PM -0500 11/3/08, Stewart, Ian wrote:

We are considering multi-campus web-SSO system that allows an
end-user to authenticate using their home campus LDAP account or
another campus LDAP account they may hold   Has anyone implemented
such a system and how have you dealt with the trust issues between
campuses that this creates? For example, each campus may have their
upfront ID-issuing or vetting process reviewed by all the other
campuses and an agreement signed before they are allowed to
participate, as in a federation.  Any thoughts on this issue would
be welcome.

It sounds like you want to create a system wide federation. Several
public state higher ed systems have already done this (eg see
UCTRUST, the Texas system, the NC system, etc). Sometimes the
statewide federation also includes state and local government;
sometimes the plans also include bringing in K12 at some point.

You'd want your federation to set "common policy" for the members.
This might be a higher bar than is currently set by InCommon. It
might be useful, tho, to look at the recently promulgated InCommon
"Silver" standards, which match the federal e-authn Level 2 (and will
grant access to applications such as NIH grants mgmt, and
(eventually) Dept of Education FERPA).

As a starting point, each campus would likely have some people at
"bronze" level, and a smaller set at Silver (people who need to
access applications in ways that engender a higher level of risk).

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]