assurance - Re: [Assurance] Seeking advice on how to handle direct AuthN from hosted services
Subject: Assurance
List archive
Re: [Assurance] Seeking advice on how to handle direct AuthN from hosted services
Chronological Thread
- From: Mark John Rank <>
- To:
- Subject: Re: [Assurance] Seeking advice on how to handle direct AuthN from hosted services
- Date: Fri, 14 Dec 2012 12:20:16 -0600 (CST)
Eric:
Thanks, this is helpful.
Regards,
Mark
------------------------------------------
Mark Rank
Middleware and Identity Management Group
University Information Technology Services
UW-Milwaukee
Email:
Phn: 414-229-3706
------------------------------------------
----- Original Message -----
From: "Eric Goodman"
<>
To:
Sent: Friday, December 14, 2012 12:04:43 PM
Subject: Re: [Assurance] Seeking advice on how to handle direct AuthN from
hosted services
While I was at UCSC, we put together a principle (perhaps "stole from UC
Berkeley" is more accurate!) that tries to address this.
http://its.ucsc.edu/idm/iam-principles.html
It basically boils down to "you should use Shibboleth. If you don't you
should have a good reason. And either way, if you're asking for this
permission, there's someone who has the authority to approve the exception
request".
Note also, that UCSC maintains two "central" passwords, that we refer to as
"Blue" and "Gold". Blue = less constrained use (i.e., LDAP-auth is
available for it, but it is not to be used for restricted/sensitive data),
Gold = more constrained use (firewall rules limit access to the server,
etc).
The actual process has morphed away from what is described here a bit, but
it still accurately portrays what we try to do.
--- Eric
On Fri, Dec 14, 2012 at 7:36 AM, Mark John Rank
<>
wrote:
>
> Assurance Folks:
>
> I am seeking a bit of advice. UWM has run into some delays with our
> Bronze/Silver
> efforts but we are still working in that direction. One area we have
> gotten to is
> implementing procedures to limit direct access to credential stores from
> external entities.
>
> Recently our IAM Group has been asked to provide authentication access for
> a
> “Fat Client” with a remotely hosted 2-tier application server via secured
> LDAP. We are putting together a quick impact document as part of the
> response.
> I would welcome feedback from the group, either on the analysis approach
> or if
> folks have solved this problem already. The document is available at ...
>
> https://pantherfile.uwm.edu/rankm/public/external_party_issue.pdf
>
> For reasons that can be chalked up to "that ship has sailed", other AuthN
> protocols are not an option at this time.
>
> Any feedback would be appreciated.
>
> Regards,
> Mark
>
> ------------------------------------------
> Mark Rank
> Middleware and Identity Management Group
> University Information Technology Services
> UW-Milwaukee
> Email:
>
> Phn: 414-229-3706
> ------------------------------------------
>
- [Assurance] Seeking advice on how to handle direct AuthN from hosted services, Mark John Rank, 12/14/2012
- Re: [Assurance] Seeking advice on how to handle direct AuthN from hosted services, Eric Goodman, 12/14/2012
- Re: [Assurance] Seeking advice on how to handle direct AuthN from hosted services, Mark John Rank, 12/14/2012
- Re: [Assurance] Seeking advice on how to handle direct AuthN from hosted services, Eric Goodman, 12/14/2012
- Re: [Assurance] Seeking advice on how to handle direct AuthN from hosted services, Mark John Rank, 12/14/2012
- Re: [Assurance] Seeking advice on how to handle direct AuthN from hosted services, Eric Goodman, 12/14/2012
Archive powered by MHonArc 2.6.16.