Main Nav

Hello, IdM colleagues,


The Committee on Institutional Cooperation, the "Big Ten" schools plus The University of Chicago, are undertaking a project in the Identity and Access Management space to look at best practices for user authentication to mobile device-based "Apps" - things like a mobile Learning Management System integration that uses an institutional net ID for login.  We'd like your help in determining what you, our colleagues, are doing in this space.  We're interested in what patterns and practices are beginning to emerge in this relatively new area.  The survey includes about 30 questions, and depending on your answer to questions earlier on in the survey, you will be asked a different set of questions, so you could be asked less than the total number of questions.


We plan to aggregate the results and create a brief report on our findings, which we'll share on the public-facing CIC web site after the work is complete.


If you could take a moment to fill out the survey below, and/or share it with colleagues who you think are in the best position to answer questions about mobile device authentication technology and strategy for your institution, we would appreciate it.


The survey is available at:


Thank you,


Nick Roy and the CIC Identity Management Working Group


Nicholas Roy - Identity Architect

The University of Iowa | Information Technology Services | Directory and Authentication


Hi all

The IDM Constituent group is doing a survey re: authentication for mobile applications.  See below and participate.   


We’ve gotten a good number of responses to this survey, but I’d love to see more.  I’m planning to close the survey to further participation on Monday afternoon, 6/18, at about 4:00 Central time.






As promised, here is a rough interpretation of the results.  If anyone has better data interpretation skills than me and would like to spend some TLC time with the raw data, please let me know.


My rough take-aways:

About 2/3 of respondents have official apps, of those about 2/3 have “both” web and native apps

About 1/3 have SaaS aaps, both native and web (even split)

About 2/3 don’t think they have non-centrally developed mobile apps, or didn’t answer that question

About 2/3 answered the “do you have an official strategy for mobile app authN?” question, and it was an even split between yes and no

Of those who answered no to the strategy question, half had a mid-term  timeframe for figuring out such a strategy

About 60% who answered the strategy question did not have a planned effort to develop a strategy, 40% did have a planned effort

Of those, about 55% said the decision not to have a strategy was not deliberate

Most of the people who told us what level within the institution they were (about 15% of total respondents) were within central ID, in either a director, architect or IdM specialist role

About 10% of respondents, 100% of the people who answered the question, said there was a relatioinship between their mobile authN strategy and their web app authN strategy

About 2/3 of the respondents who answered the Carnegie classification question were in the RU/VH Carnegie classification, with about 12% in RU/H, 12% in Bac/A&S and the remainder in DRU or Master’s schools


Freetext answer summary:


Q3 What tools are you using to develop apps for mobile devices?

Interpretation: It appears most of the use cases are for integration with LMS

Aggregated responses:

Only vendor developed apps (, Blackboard mobile (formerly Terribly Clever), D2L, Banner Mobile

Some "integrate" vended apps (Blackboard mobile calls back to Blackboard for authN/Z?)

Blackboard mobile development

Apple SDK

Web apps using Kuali Mobility Enterprise Framework

Web apps using custom interfaces to Sakai

Appcelerators Titanium, ColdFusion for API to supply data to mobile apps

HTML5 for web apps


jQuery Mobile

Google Web Toolkit




Q17 Outline your solution

Interpretation: A mix of solutions, with web-only being narrowly the most common, others use direct LDAP for native apps, some use LMS-integrated login

Aggregated responses:



Blackboard Mobile Central and Mobile Learn - Mobile Learn authN via LMS login

Implemented CoSign web SSO on iOS and Android in a way that apps can leverage it for authN

LDAP against AD for local mobile apps, do not have a solution to allow cloud-based apps to centrally authenticate

RESTful API for mobile, SAML for federated



Q20 What platforms does your solution work with?

Interpretation: A mix of iOS and Android as well as web apps

Aggregated responses:

Web apps

Windows-based AD tokens (Since they said tokens I assume Kerberos?  How does that work?  Maybe they are actually using LDAP - this school says they have both web and native mobile apps)

iOS and Android

Many platforms (using LDAP for authN)

Web, native, desktop


Q23 What is the relationship between your mobile and web app authentication strategy?

Same SSO technology for web apps on mobile and non-mobile (CAS, CoSign, OpenSSO, not specified)

The school that created the custom CoSign client uses a custom client per platform (iOS/Android)


Q27 How are you minimizing security concerns for your mobile app environment?

Security infrastructure knows and has assessed all the SPs

The school that developed a native CoSign app uses that to reduce risk and web apps use central SSO


Q32 What are the risk mitigations for your solution?

Only one school answered this, and it was "I don't know them well enough"


Q33 What risks are you concerned about that are unique to mobile?


Responses (not aggregated):

-QA is virtually impossible, even with such a generic strategy as browser based apps. We can't possibly test the breadth of devices on the market and the ones yet to appear. Also, this is very similar to the old browser standards discussions we have had for almost two decades. The list is obsolete the day you publish it and there are now more subordinate technologies than ever before. Once a service is rolled out, it is very difficult to make fundamental engineering changes. Whatever technique is embraced might be something that must be lived with for a very long time.