Assurance

[Eric Goodman <>]

No problem.

By the way, I don't remember whether I commented on the last draft of PeopleSoft authN info. I just last week changed jobs (moving from UC Santa Cruz to UC Office of the President) so have been even more distracted than normal. Let me know if there's anything you're waiting on from me specifically. 

Also, my new email is , though I will continue to receive email at this address for the next two months.

--- Eric

On Fri, Dec 14, 2012 at 10:20 AM, Mark John Rank <> wrote:

Eric:

Thanks, this is helpful.

Regards,
Mark


------------------------------------------
Mark Rank
Middleware and Identity Management Group
University Information Technology Services
UW-Milwaukee
Email:
Phn:  414-229-3706
------------------------------------------

----- Original Message -----
From: "Eric Goodman" <>
To:
Sent: Friday, December 14, 2012 12:04:43 PM
Subject: Re: [Assurance] Seeking advice on how to handle direct AuthN from hosted services

While I was at UCSC, we put together a principle (perhaps "stole from UC
Berkeley" is more accurate!) that tries to address this.

  http://its.ucsc.edu/idm/iam-principles.html

It basically boils down to "you should use Shibboleth. If you don't you
should have a good reason. And either way, if you're asking for this
permission, there's someone who has the authority to approve the exception
request".

Note also, that UCSC maintains two "central" passwords, that we refer to as
"Blue" and "Gold". Blue = less constrained use (i.e., LDAP-auth is
available for it, but  it is not to be used for restricted/sensitive data),
Gold = more constrained use (firewall rules limit access to the server,
etc).

The actual process has morphed away from what is described here a bit, but
it still accurately portrays what we try to do.

--- Eric


On Fri, Dec 14, 2012 at 7:36 AM, Mark John Rank <> wrote:

>
> Assurance Folks:
>
> I am seeking a bit of advice. UWM has run into some delays with our
> Bronze/Silver
> efforts but we are still working in that direction. One area we have
> gotten to is
> implementing procedures to limit direct access to credential stores from
> external entities.
>
> Recently our IAM Group has been asked to provide authentication access for
> a
> “Fat Client” with a remotely hosted 2-tier application server via secured
> LDAP. We are putting together a quick impact document as part of the
> response.
> I would welcome feedback from the group, either on the analysis approach
> or if
> folks have solved this problem already. The document is available at ...
>
> https://pantherfile.uwm.edu/rankm/public/external_party_issue.pdf
>
> For reasons that can be chalked up to "that ship has sailed", other AuthN
> protocols are not an option at this time.
>
> Any feedback would be appreciated.
>
> Regards,
> Mark
>
> ------------------------------------------
> Mark Rank
> Middleware and Identity Management Group
> University Information Technology Services
> UW-Milwaukee
> Email:
> Phn:  414-229-3706
> ------------------------------------------
>