Assurance

[Eric Goodman <>]

While I was at UCSC, we put together a principle (perhaps "stole from UC Berkeley" is more accurate!) that tries to address this.

  http://its.ucsc.edu/idm/iam-principles.html

It basically boils down to "you should use Shibboleth. If you don't you should have a good reason. And either way, if you're asking for this permission, there's someone who has the authority to approve the exception request". 

Note also, that UCSC maintains two "central" passwords, that we refer to as "Blue" and "Gold". Blue = less constrained use (i.e., LDAP-auth is available for it, but  it is not to be used for restricted/sensitive data), Gold = more constrained use (firewall rules limit access to the server, etc). 

The actual process has morphed away from what is described here a bit, but it still accurately portrays what we try to do.

--- Eric

On Fri, Dec 14, 2012 at 7:36 AM, Mark John Rank <> wrote:

Assurance Folks:

I am seeking a bit of advice. UWM has run into some delays with our Bronze/Silver
efforts but we are still working in that direction. One area we have gotten to is
implementing procedures to limit direct access to credential stores from
external entities.

Recently our IAM Group has been asked to provide authentication access for a
“Fat Client” with a remotely hosted 2-tier application server via secured
LDAP. We are putting together a quick impact document as part of the response.
I would welcome feedback from the group, either on the analysis approach or if
folks have solved this problem already. The document is available at ...

https://pantherfile.uwm.edu/rankm/public/external_party_issue.pdf

For reasons that can be chalked up to "that ship has sailed", other AuthN
protocols are not an option at this time.

Any feedback would be appreciated.

Regards,
Mark

------------------------------------------
Mark Rank
Middleware and Identity Management Group
University Information Technology Services
UW-Milwaukee
Email:
Phn:  414-229-3706
------------------------------------------