Events for all Levels and InterestsStay
Jump Start Your Career GrowthStay
Get on the Higher Ed IT MapStay
Uncommon Thinking for the Common Good™Stay
reducing signons and appropriate authentication mechanisms
Message from firstname.lastname@example.org
I'm working on institutional identity management efforts and a goal to reduce login combinations. I'm very interested in understanding best practices to follow in pursuit of reducing login combinations. Most of our internal applications and externally hosted web applications use application specific authentication sources. Our team will soon be configuring select internal applications for LDAPS authentication.
Here's where things get interesting... at least one of our internal applications supports LDAP (not LDAPS). All of our web application vendors support LDAPS but not all of them support token based authentication (like CAS or Shibboleth). I've found little information about when LDAPS authentication with hosted apps would be acceptable - or if it should be avoided at all costs. There is very high trust and confidence in our hosted web app vendors but I have some reservations about passing user credentials over HTTPS through a third party and then back to us via LDAPS.
Any pointers, thoughts, or suggestions on criteria for selecting appropriate authentication mechanisms would be greatly appreciated. Pithy one liners would be great to hear too.
e.g., "Never do LDAP:389 authentication even internally and even with all the networking tricks you can think of." - or - "We use LDAPS for a few hosted web app vendors, CAS and CAS-Shib where we can, and LDAP and LDAPS for internal apps."
Enterprise Application Developer
Keene State College