Main Nav

Participate in this Group

Search This Group

April 24, 2013 | Valerie M. Vogel
Thank you to everyone who participated in the recent ECAR poll on IT Risk Management. The results are now available to review in this 2-page PDF: http://net.educause.edu/ir/library/pdf/ECARpollAPR2013.pdf Best, Valerie Valerie Vogel Program Manager EDUCAUSE Uncommon Thinking for the Common Good direct: 202.331.5374 | main: 202.872.4200 | twitter: @HEISCouncil | educause.edu From: Valerie Vogel > Date: Friday, April 5, 2013 11:14 AM To: EDUCAUSE Listserv > Cc: "idm@listserv.educause.edu" > Subject: EDUCAUSE IT Risk Management Poll Greetings, ECAR, the EDUCAUSE Center for Applied Research, is designing new research on IT risk management adoption. Please share your experience in this six-question poll (created using SurveyMonkey):...
April 17, 2013 | Kevin Foote
On Wed, 17 Apr 2013, Chang, Marty wrote: > Thank you very much for this input, Kevin! We're new to both Shib and CAS, > but I think we can take this direction and go from here. Is the CAS+Shib > setup one that you use at IUP? (back on list for reference later) Yes, our web SSO is based on the Shib products/project stack. I've created the cas 'bridge' server to provide seamless web-sso to just those apps that have cas clients 'baked in'. I think we all know who those apps belong to.. :) It's arguable whether or not bridging is the correct thing to do here or not but as long as everyone (IT wise) knows what you are doing the benefits seem to out weigh things at the moment.. at least locally. ------ thanks kevin.foote
April 12, 2013 | CJ Mizner

Is there anybody out there using ADFS that has successfully federated with InCommon and Educase, and would be willing to share their claims rules?

As well as additional claims descriptions they added to support the eduPerson attributes? I have successfully setup both Relying Party Trusts but I’ve been unable to get a complete set of claims rules for all the key attributes.

 

Thank you for any assistance you can provide.

 

 

CJ Mizner

Information Management & Technology

 

University of Northern Colorado

Campus Box 19

Snyder Hall, Rm 092

Greeley, CO 80639

Office: 970-351-1782

...
April 12, 2013 | Thomas J. Barton
Dear Colleagues,

This item will be of interest to those planning to attend or still considering attending the first Apereo Foundation conference, and to those who simply wish to follow Apereo's early steps.

Tom
--
Tom Barton
Senior Director for Architecture, Integration, and Security
Chief Information Security Officer
Information Technology Services
University of Chicago
+1 773 834 1700 (office)


Inaugural Apereo (Jasig/Sakai) Foundation Conference

Opening Minds to Open Solutions
June 2-7, 2013 San Diego Westin - San Diego, CA
http://conference.apereo.org #apereo13

...

April 8, 2013 | Dean Woodbeck
InCommon has two Shibboleth training sessions coming up. These sessions are open to anyone wanting help installing and configuring the Shibboleth single sign-on and federating software. Sessions are scheduled for:

 * May 14-15, 2013, at Citrus College in Glendora, California
 * June 17-18, 2013, at the MCNC offices in Durham, North Carolina

Details and registration information are at www.incommon.org/shibtraining/

-----
Dean Woodbeck
Program Manager, InCommon
Internet2
woodbeck@internet2.edu
734-352-7007
www.incommon.org
March 27, 2013 | Thomas J. Barton

Inaugural Apereo (Jasig/Sakai) Foundation Conference
Opening Minds to Open Solutions
June 2-7, 2013 San Diego Westin - San Diego, CA
http://conference.apereo.org #apereo13

Registration is now open for the inaugural Open Apereo 2013 conference! Early bird pricing (available until May 3rd) will be: $595 for Apereo Foundation Members or $725 for Non-Members. The fee includes breakfast (Monday-Thursday), lunch (Monday-Wednesday), two receptions, and 3 1/2 days of conference presentations. Hands-on pre-conference workshops may require an additional fee. This is a great opportunity to come and learn about our new organization.

...
March 25, 2013 | Brendan Bellina
It is my understanding though that the standard attributes (cn and the like) cannot be marked confidential and so are visible to all authenticated users. You could try to use only custom attributes but then most AD-centric products would fail to work because they expect the standard attributes. Managing the AD itself would also become problematic because Microsoft's tools expect you to use the standard attributes. It appears to me that AD remains incapable of properly supporting FERPA requirements and confidentiality requests. I'd love to be proven wrong about this because we do have to support AD for Office365 and several AD-centric products and I am hesitant to support putting more of our enterprise identity data into AD because of this. Regards, Brendan Bellina USC
March 21, 2013 | Jeff McCullough
Hi Jeremy, Like you, we encourage CAS for on campus and Shib for off campus use. If an app can't use either, then the app owner can request an exception. Here is the process . Cheers, Jeff IST - Calnet Identity and Access Management UC Berkeley
March 19, 2013 | David Langenberg
Hi All, The University of Chicago is undertaking a project to replace our present LDAP infrastructure (Oracle Directory Server Enterprise Edition v 11) with something not Oracle. The three leading candidates we have selected are: OpenDJ by ForgeRock OpenLDAP Port 389 / RedHat DS Would anybody who happens to already be running one of the above systems mind chiming in about their experiences (good and bad)? Also, if you would please let me know if you could go back in time, would you select the product you're presently running? Thanks Dave -- David Langenberg Identity & Access Management The University of Chicago
March 13, 2013 | Dean Woodbeck
Today's IAM Online will feature three campus case studies of Grouper, the community-developed access management software. Presenters include the University of Wisconsin-Madison, the University of Montreal, and Carnegie Mellon University. 

3 pm ET today. For details: www.incommon.org/iamonline

-----
Dean Woodbeck
Program Manager, InCommon
Internet2
woodbeck@internet2.edu
734-352-7007
www.incommon.org
March 12, 2013 | CJ Mizner

Hello,

Does anybody have any successful documentation on configuring ADFS 2.0 for Federated login with Educase? We have imported the Relying Party Trusts from InCommon (and configured federation), and I found the reference below to the attributes but I have yet to find any documentation for those of us just starting out.

 

 

https://www.educause.edu/idp_setup/info

 

Thank you for any additional information you can provide.

 

CJ Mizner

Information Management & Technology

 

University of Northern Colorado

Campus Box 19

Snyder Hall, Rm 092

Greeley, CO 80639...

March 11, 2013 | Bryan Wooten
I will throw in my 2 cents. My first foray into CAS was integrating it with OpenAM (or whatever SUN called it back then). I modified CAS to accept OpenAM tokens (used the x509 handler as a template). We also had applications that accepted PeopleSoft tokens and CAS tokens. I hated it from an application developer perspective. I believe it is wrong headed to have applications serve 2 masters. Single logout is difficult enough, this makes it impossible. We now have have our SSO all tied to CAS authentication. PeopleSoft uses CAS, custom in-house WEB applications use CAS, 3rd party apps use CAS, our Shibboleth IDP defers authentication to CAS. My belief and recollection is that OpenAM can be configured to use CAS for authentication. -Bryan On 3/11/13 4:17 PM, "William G. Thompson, Jr." wrote: >
March 11, 2013 | David A. Bantz
UA is implementing Banner Enterprise Identity Services (BEIS), one feature of which is support for real-time provisioning via the BEIS "Identity Proxy" and SPML LDAP Adaptor, or via a separate PSP. This note solicits the experience of other institutions who have deployed BEIS and use the real-time provisioning capability to provision identities in AD or a generic LDAP directory. • Do you use the SPML LDAP Adaptor, or a separate PSP to provision identities into your directory or directories? • If you evaluated alternative PSPs, what were the deciding factors for you? • What has your experience been in deploying and operating the provisioning service? • Do you have any other advice or recommendations for our deployment? David Bantz U Alaska IAM
March 11, 2013 | Listserv Anonymous User
Message from stefan.wahe@doit.wisc.edu

This effort is specific to a distributed environment across the UW-System for about 3,000 users for our business/financial applications.  We are still making them available for digital signing and encryption.  We also may still use them for research efforts local to UW-Madison.  The reasons for the change for these application/populations include:

(1) The need for an agnostic solution that is not driver dependent on OS, browser or device type.
(2) Ability to provide contingency access for staff who have lost or malfunctioning hardware token. 
(3) Steps to authentication (this is because of the federated environment we are authenticating between).

I do know that many campuses have successfully deployed a x509 solution for authentication. 

Thanks - Stefan


...
March 11, 2013 | Mark B. Jones

·         Yes, a confirmation is immediately sent to a user’s official e-mail address when their password is changed.  The mail states when it was changed and who changed it (which could have been someone from the helpdesk).

·         No, we don’t send mail about failed changes, only the feedback on the password change form.

·          We begin notifying users that their password will expire about a month before.  The notifications start weekly and increase to daily the week before the password expires.

·         I’m not sure what you mean by role based notifications.  Only the user is notified. 

...
March 11, 2013 | Mark Clements
I'm wondering if anyone would be willing to share their non-disclosure agreements.

I will be working with my security group to author one soon, and am looking for useful things to include, and if you ran into any 'gotchas' from legal.

Also, anything you wish you had included, but didn't?

Thanks in advance!

-- MC
-------------
Mark Clements
Director of Administrative Computing and Networking
University of Wisconsin Oshkosh
March 7, 2013 | Valerie M. Vogel
IAM Online - Wednesday, March 13, 2013 3 pm ET / 2 pm CT / 1 pm MT / Noon PT www.incommon.org/iamonline Three Campus Case Studies of Managing Access with Grouper Is your campus looking for more efficient ways to manage access to course materials, administrative data, and even HR data?  Wondering how to set up roles and permissions for administrators, staff and students allowing them to access the resources they need? Tune into the March 13 IAM Online to hear case studies from three campuses highlighting how Grouper, the open source access management software from Internet2, is being used to address group and access management challenges.  Host and Moderator: Tom Barton, University of Chicago Speakers: Paul Donahue, University of Wisconsin-Madison Sebastien Gagne, University of Montreal Rahul Doshi and Michael Gettes, Carnegie Mellon University ************** Connecting We use Adobe...
March 6, 2013 | Listserv Anonymous User
Message from mike_shore@bcit.ca

Hi all,
 
Our account and email provisioning processes are based on an employee’s start date. However, once in a while we get a request from HR to create a mailbox for a “higher up” (manager or VP) who is starting at some point in the near future. The reasons given include wanting to set up their calendar schedule, start communicating the new the hire, and get them up to speed so they hit the ground running on their first official day of work.
 
I understand this desire, but from a security and liability standpoint we’re not comfortable with creating an “unused” account and mailbox. Even if it is a VP, he is not an employee until date X, so why should he have access to our resources before date X?
 
Do you have policies or procedures in place to provision employees before their actual start date? Technically,...
March 6, 2013 | Paul Hodgdon

I was wondering if anyone is using any software/appliance to mitigate or detect brute force attacks.  Do you do anything with blocking an IP on N number of failed attempts within a timeframe or anything similar?  Is there anything specific to something like OpenLDAP or AD?

 

-Paul

March 19, 2013 | David Langenberg
Hi All, The University of Chicago is undertaking a project to replace our present LDAP infrastructure (Oracle Directory Server Enterprise Edition v 11) with something not Oracle. The three leading candidates we have selected are: OpenDJ by ForgeRock OpenLDAP Port 389 / RedHat DS Would anybody who happens to already be running one of the above systems mind chiming in about their experiences (good and bad)? Also, if you would please let me know if you could go back in time, would you select the product you're presently running? Thanks Dave -- David Langenberg Identity & Access Management The University of Chicago
March 11, 2013 | David A. Bantz
UA is implementing Banner Enterprise Identity Services (BEIS), one feature of which is support for real-time provisioning via the BEIS "Identity Proxy" and SPML LDAP Adaptor, or via a separate PSP. This note solicits the experience of other institutions who have deployed BEIS and use the real-time provisioning capability to provision identities in AD or a generic LDAP directory. • Do you use the SPML LDAP Adaptor, or a separate PSP to provision identities into your directory or directories? • If you evaluated alternative PSPs, what were the deciding factors for you? • What has your experience been in deploying and operating the provisioning service? • Do you have any other advice or recommendations for our deployment? David Bantz U Alaska IAM
March 4, 2013 | Listserv Anonymous User
Message from leifj@sunet.se

On 03/05/2013 01:32 AM, Cantor, Scott wrote:
February 8, 2012 | Peter Bosanko
Currently, we populate Active Directory and our enterprise directory with nightly feeds from PeopleSoft, where for the most part, PeopleSoft is the data of record. We are about to introduce Workday into the mix, and I expect other cloud products aren't far behind. As such, I'm compelled to reconsider how we organize identities. One challenge for us is to decide where the data of record is for personal information: Workday, PeopleSoft, both, or a dedicated identity management system. I'm wondering what other schools are doing on this front. Have any of you implemented/deployed identity management systems that act as the data of record for person records, instead of being fed by, for instance, PeopleSoft? I'm trying to get the sense of what if any pitfalls there are to this strategy. Thanks for your help. - Pete Pete Bosanko Manager - Identity Management 736 Rhodes Hall Cornell University Ithaca, NY 607-254-8683
January 13, 2012 | Listserv Anonymous User
Message from pmorley@mcdaniel.edu


Good Morning,

We are looking for a solution for Single Sign-On that can be implemented fairly quickly that supports either CAS or SAML.

We have an outside vendor who is trying to integrate with us.

Has anyone worked with SSO Easy, a 3rd party company that provides a Windows based SSO provider, but is specific to the integration from the perspective of licensing.

Thanks.

Phillip Morley
Jr. Systems Administrator | Information Technology

McDaniel College
2 College Hill
Westminster, MD 21157
( Office: (410) 857-2540
y E-mail: pmorley@mcdaniel.edu
December 13, 2011 | David Alexander
Hi, I wanted to know how other schools are making course enrollment data available to applications. What policy/procedure do you have in place for requesting access to course enrollment data? I'd appreciate any links you could share to your school's policy/procedures. How do you make course enrollment data available to applications? Do you use Active Directory to publish course enrollment data? It would be especially helpful to hear from other PeopleSoft schools. Thanks, Dave ---
February 28, 2014 | Valerie M. Vogel
Greetings, Since it is the final day of Data Privacy Month (January 28-February 28), I would like to provide a brief update on our latest resources. 1) We have collected 70 examples of campus events, activities, and outreach efforts on our Data Privacy Month page. It's not too late to include your institution's link! (For comparison, we only found 14 links in 2013.) http://www.educause.edu/dpm 2) We have posted three new guest blogs, for a total of seven. * Lisa Ho, Matt Wolf, & Erika Donald (2/28/14): http://www.educause.edu/blogs/vvogel/boyfriend-dilemma-are-you-giving-to... * Rich Murphy (2/24/14):...
April 12, 2013 | CJ Mizner

Is there anybody out there using ADFS that has successfully federated with InCommon and Educase, and would be willing to share their claims rules?

As well as additional claims descriptions they added to support the eduPerson attributes? I have successfully setup both Relying Party Trusts but I’ve been unable to get a complete set of claims rules for all the key attributes.

 

Thank you for any assistance you can provide.

 

 

CJ Mizner

Information Management & Technology

 

University of Northern Colorado

Campus Box 19

Snyder Hall, Rm 092

Greeley, CO 80639

Office: 970-351-1782

...
January 24, 2013 | Listserv Anonymous User
Message from mike_shore@bcit.ca

At BCIT we have an account management system that was built up over the years with little oversight. Most decisions about provisioning and de-provisioning accounts, group memberships and access were made by ITS staff as there was no overall governance plan. Now that more systems are relying on our AD system, we are finding that we need some longer term vision for account and identity management. It would seem that having a governance plan in place *before* any work is done would have made the most sense J As it is today, we need to start an IDM governance plan. Does your institute have well defined governance for identities, accounts and access? If so, are you willing to share your documentation, or at least the underlying principals?
 
 
If you need technical support, please contact us online or by phone at: techhelp@bcit.ca...
November 26, 2012 | Stan K. Putnam

We have been investigating Gartner Magic Quadrant vendors with the goal of implementing a commercial IdM/IAM solution that will replace our current home-grown system.  Most of the products that we have investigated can meet most of our needs, at least on some level.  Right now we are focusing on the Oracle IdM solution and wanted to solicit input from this group.  Have you had good/bad experiences with this solution?  Timelines to implement?  Ongoing staffing requirements?  Hardware requirements?

 

Our goal is to formulate the best TCO estimates possible.  One of the biggest factors driving TCO will be the ability of internal staff to create new connectors and perform maintenance as needed rather than retaining professional services.

 

Stan Putnam

System Architect

...
October 4, 2012 | Listserv Anonymous User
Message from kylesmith@kyleasmith.info

Good afternoon,

There have been some talks at my institution that involve placing an Active Directory Domain Controller and/or OpenLDAP server "in the cloud" to allow for higher availability and redundancy for our primary authentication. I'd like to know the following:

1. Do you currently have an authentication server "in the cloud"? 
1a. What requirements did you have prior to placing the server in the cloud? (full access to virtual/physical machine)
1b. How is your server hosted? (ie Amazon EC2, Microsoft Azure, etc)
2. What security measures do you take to prevent a breach? 
3. What is your business' realm ? (private corporation, public sector, higher education)
4. Any other tips/tricks/advice on this topic. 

Thanks!

Kyle Smith
Higher...
September 28, 2012 | Valerie M. Vogel
We hope you'll join the next IAM Online to hear more from David Sherry (Brown) and Miguel Soldi (UT System) about implementing an effective IAM program at your institution. ************** IAM Online - Wednesday, October 10, 2012 3 pm ET / 2 pm CT / 1 pm MT / Noon PT www.incommon.org/iamonline ************** Implementing an Effective Identity and Access Management Program What does it take to implement an effective identity and access management (IAM) program? The EDUCAUSE IAM Working Group has been developing the IAM Program Outline to answer that question.  This IAM Online presentation will provide a high-level description of the IAM Program Outline, including some of the guidance offered for those starting an IAM Program, the policy framework institutions may need to consider, and governance issues. The speakers will also discuss the assumptions the working group has made along the...
June 8, 2012 | Valerie M. Vogel
IAM Online - Wednesday, June 13, 2012
3 p.m. ET / 2 p.m. CT / 1 p.m. MT / Noon PT
 
**************
Multifactor Authentication Approaches and Multifactor for InCommon Silver
 
Multifactor authentication (also referred to as two-factor authentication) adds another level of complexity and security to a password-only arrangement. Interest in multifactor continues to grow, as some federal agencies move in that direction. InCommon has added service offerings in this area, as well, and some schools now plan to use a second factor as a way to meet the requirements of the InCommon Silver Assurance Profile. 
 
Join our speakers to learn the basics about multifactor authentication, the pros and cons of different approaches to multifactor, and how one campus plans to use this...
June 7, 2012 | Nicholas Roy

Hello, IdM colleagues,

 

The Committee on Institutional Cooperation, the "Big Ten" schools plus The University of Chicago, are undertaking a project in the Identity and Access Management space to look at best practices for user authentication to mobile device-based "Apps" - things like a mobile Learning Management System integration that uses an institutional net ID for login.  We'd like your help in determining what you, our colleagues, are doing in this space.  We're interested in what patterns and practices are beginning to emerge in this relatively new area.  The survey includes about 30 questions, and depending on your answer to questions earlier on in the survey, you will be asked a different set of questions, so you could be asked less than the total number of questions.

 

...
March 5, 2012 | Listserv Anonymous User
Message from hrf@andrew.cmu.edu

We are looking at our password management processes and software.  
Any help or info appreciated with the following questions:

Is there any standard  set of APIs used with password management?

Has your school developed its own password management software or are you using a product?  If you are using a product, what is it and what are its strengths and weaknesses?

What audit compliance issues may exist for locally developed password management solutions? 


Thanks,
Helen Feder
Principal Systems Software Engineer 
Identity Services
Carnegie Mellon University
5000 Forbes Avenue
Pittsburgh, PA 15213-3890
412-268-9846
...
December 7, 2011 | Listserv Anonymous User
Message from andrew.buker@gmail.com

Do any of you have experience with consultants for Sun Identity Manager 8.1?  We need to bring in some outside assistance to meet several project deadlines.  Currently know of AegisUSA but want to take a look at others if you have had any positive experiences with them.

Thank you,

--
Andrew Buker
Associate Director, Technical Services
University of Nebraska at Omaha

November 14, 2011 | Michael R. Gettes
Kind beings, Once again I come to you seeking knowledge. I am hoping some of you have a solution for the following problem. We have windows clusters/labs (many windows machines for student/other use) and we would like to provide a mechanism for people to access a web site without being allocated an account. We would like them to login to an account, call it SPECIAL, without a password and be presented with a locked-down web session limiting them to a couple of hosts to access and no other web sites or applications can be accessed. When they exit the browser, the account logs out. I am told this is really hard, if not impossible, to do securely. I know there are products to do this, but I am seeking a solution involving little or no money. If you bought something and deem it really really cheap, I'm interested. If you developed a solution and are willing to create some community around your solution - I'm even MORE interested. Similar solutions for Mac OSX and the usual...
January 31, 2014 | Jason Youngquist

We are looking at replacing our homegrown IDM solution with a commercial product.  For those of you using Colleague by Ellucian, which IDM solution are you currently using, and would you recommend it?

 

Please feel free to reply off-list.

 

 

Thanks.

----

Remember:  Columbia College Technology Services will NEVER ask for your password.

 

Jason Youngquist, CISSP, CISA, GWAPT, GCWN

Information Security Engineer
Columbia College – Technology Services

1001 Rogers Street, Columbia, MO  65216

(573) 875-7334

...

December 4, 2013 | Dean Woodbeck
Trust and Identity: Beyond the Federation Friday, December 13, 2013 3 pm ET | 2 pm CT | 1 pm MT | Noon PT www.incommon.org/iamonline Think InCommon is a federation? Think again. Come join us to learn more about InCommon's expanding role in Trust and Identity for higher education. After conducting a comprehensive review of the identity and access control landscape, Internet2 and InCommon are looking to ensure that all of the various components -- tools, software, practices, infrastructure and standards -- are consistent, community-focused, and well coordinated. The InCommon Steering Committee will take a leading and expanded role in Trust and Identity, directing and advising the following areas: services, infrastructure, software, and integration. Join the December IAM Online (December 13, 2013) for a wide-ranging discussion of Trust and Identity and its impact on the research and...
Close
Close


EDUCAUSE Connect
View dates and locations

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.