Main Nav

Participate in this Group

Search This Group

February 28, 2014 | Valerie M. Vogel
Greetings, Since it is the final day of Data Privacy Month (January 28-February 28), I would like to provide a brief update on our latest resources. 1) We have collected 70 examples of campus events, activities, and outreach efforts on our Data Privacy Month page. It's not too late to include your institution's link! (For comparison, we only found 14 links in 2013.) http://www.educause.edu/dpm 2) We have posted three new guest blogs, for a total of seven. * Lisa Ho, Matt Wolf, & Erika Donald (2/28/14): http://www.educause.edu/blogs/vvogel/boyfriend-dilemma-are-you-giving-to... * Rich Murphy (2/24/14):...
February 25, 2014 | Dean Woodbeck
InCommon Shibboleth Installation Workshop
March 24-25, 2014
MCNC
Durham, North Carolina
www.incommon.org/shibtraining

​Need training on Shibboleth installation? Consider attending the latest InCommon Shibboleth Installation Workshop in Durham, North Carolina, sponsored by InCommon, Internet2, and MCNC.  These workshops tend to fill up quickly, so register today.

We’ll spend one day (March 24) installing the identity provider software, and the second day (March 25) installing the service provider software. These directed self-paced workshops allow attendees to move through the material at their own speed, while having experienced trainers provide overviews and one-on-one help with the process. 

Attendance is limited to 40 registrants each day. Registration closes March 10, 2014.

...
February 13, 2014 | Bry-Ann Yates

Hello,


Here at the University at Albany, we are in the process of reviewing the access our volunteers are granted. We were wondering how other schools handle this issue?  Here are some questions.

 

1. What are your university’s current policies/practices for dealing with volunteers?

2. What access/services have they been granted.

3. Are there different subsets of volunteers defined?   If so, what is the breakout.

4. Do the policies/practices differ for different subsets?

5.  Please add anything else that you think is relevant.

 

Thank you in advance!

 

 

 

...

January 31, 2014 | Jason Youngquist

We are looking at replacing our homegrown IDM solution with a commercial product.  For those of you using Colleague by Ellucian, which IDM solution are you currently using, and would you recommend it?

 

Please feel free to reply off-list.

 

 

Thanks.

----

Remember:  Columbia College Technology Services will NEVER ask for your password.

 

Jason Youngquist, CISSP, CISA, GWAPT, GCWN

Information Security Engineer
Columbia College – Technology Services

1001 Rogers Street, Columbia, MO  65216

(573) 875-7334

...

January 28, 2014 | Valerie M. Vogel
Happy Data Privacy Day! And welcome to the start of Data Privacy Month (January 28-February 28, 2014). Our Data Privacy Month planning team has lined up several guest bloggers to share their thoughts on privacy and data privacy over the next few weeks. We encourage you to share these blog posts on campus and beyond. We expect to post a new blog each Monday through the end of February. You can find out when new blogs are available by following us on Twitter: https://twitter.com/HEISCouncil. Also, please let us know if your campus is planning activities or events and we'll be sure to include a link to your institution on our Data Privacy Month page: www.educause.edu/dpm Today's blog post by Cheryl Washington (UC, Davis & DPM planning chair):...
January 23, 2014 | Dedra Chamberlin
Come work at UC Berkeley!

We are looking for a senior level web developer to help build out our next generation identity management system. New development work will be in our group management, credential management and person registry front-end applications. We have already completed a lot of work on our new access management system, and are looking for someone to help migrate that to maintenance mode.

Check out the job posting at the link below, and if you are interested, apply today!

http://jobs.berkeley.edu
Job #17274

Feel free to contact me offline if you have any questions.

- Dedra
------------------------------
Dedra Chamberlin
Senior Manager, CalNet - Identity and Access Management
January 21, 2014 | Valerie M. Vogel
Good afternoon, Please consider completing this brief survey on institutional information privacy practices. Results will be shared with the community in February as part of Data Privacy Month. http://www.surveygizmo.com/s3/1503718/Privacy2014 Thank you, Valerie Valerie Vogel Program Manager EDUCAUSE Uncommon Thinking for the Common Good direct: 202.331.5374 | main: 202.872.4200 | educause.edu
January 21, 2014 | Dean Woodbeck

InCommon Shibboleth Installation Workshop

March 24-25, 2014

MCNC

Durham, North Carolina

www.incommon.org/shibtraining


Need training on Shibboleth installation? Consider attending the latest InCommon Shibboleth Installation Workshop in Durham, North Carolina, sponsored by InCommon, Internet2, and MCNC.  These workshops tend to fill up quickly, so register today.


Special note to North Carolina institutions: Participants from any NC educational institutions and/or any NC-based NCREN/MCNC customers are eligible for a registration fee discount. To take advantage of this, you need to obtain a registration code from Steve Thorpe at MCNC (thorpe@mailbox.mcnc.org). The discount is available...

December 18, 2013 | Gary Chapman
Hi.  NYU is doing a bit of investigation that will likely lead to piloting use of
2-factor authentication for selected services and/or users in the coming year.  It 
would be helpful for us to get some quick, current snapshots of where other institutions 
are with respect to implementing 2-factor.  So if you feel inclined, could you answer 
these questions (and add any other comments you wish)?   If there's anything to 
summarize back to the list, I'll certainly do so.

Thanks - Gary Chapman, NYU / Identity Services

1. Name of institution

2. Are you using 2-factor authentication at your institution?

3. If not, do you have plans to do so in future?

4. If you are using 2-factor...

    a) how broadly?...
December 12, 2013 | Rhys Smith
Hi all,

Just a quick question for y’all...

At Cardiff University, our authoritative source of identity information is LDAP. We currently use Grouper, syncing with the LDAP source, to manage groups. We’re looking to replace this, as we’re running a fairly old version of Grouper, we only use a relatively small amount of the features of Grouper, and we’d rather things happen directly in the directory rather than via a database.

Our requirements are pretty simple: we’re after a solution that manages groups directly in LDAP, has a web-UI, and has web service endpoints for the main provisioning operations (adding/removing users to/from groups, adding/removing groups, etc).

So, we were wondering what people are using to manage groups: off the shelf solutions, in house built, etc?

You can either reply to the list or directly to me, and I’ll post a summary of responses for those...
December 4, 2013 | Dean Woodbeck
Trust and Identity: Beyond the Federation Friday, December 13, 2013 3 pm ET | 2 pm CT | 1 pm MT | Noon PT www.incommon.org/iamonline Think InCommon is a federation? Think again. Come join us to learn more about InCommon's expanding role in Trust and Identity for higher education. After conducting a comprehensive review of the identity and access control landscape, Internet2 and InCommon are looking to ensure that all of the various components -- tools, software, practices, infrastructure and standards -- are consistent, community-focused, and well coordinated. The InCommon Steering Committee will take a leading and expanded role in Trust and Identity, directing and advising the following areas: services, infrastructure, software, and integration. Join the December IAM Online (December 13, 2013) for a wide-ranging discussion of Trust and Identity and its impact on the research and...
November 1, 2013 | Nicholas Roy
Hello, The Identity Services department at Penn State is looking for a highly skilled Java developer to join our team. This position will serve as a technical lead on software development projects including the Penn State Central Person Registry. The position will be filled as a level 3 or 4 (out of 5 levels) depending upon the qualifications and skills of the successful candidate. The job posting for this position is on our jobs site: https://app2.ohr.psu.edu/Jobs/External/EVMS2_External/currentap1.cfm#40968 Please consider telling any skilled Java developers you know and think would be a good fit about this position. Thank you, Nick Nicholas Roy - Penn State - Information Technology Services nicholas-roy@psu.edu tel +1 814 867...
October 25, 2013 | Renee Shuey (Duplicate)
Hello, The Identity Services department at Penn State is looking for a highly skilled Java developer to join our team. This position will serve as a technical lead on software development projects including the Penn State Central Person Registry. The position will be filled as a level 3 or 4 (out of 5 levels) depending upon the qualifications and skills of the successful candidate. The job posting for this position is on our jobs site: https://app2.ohr.psu.edu/Jobs/External/EVMS2_External/currentap1.cfm#40968 Please consider telling any skilled Java developers you know and think would be a good fit about this position. Thank you, Renee Shuey Director, ITS Identity Services The Pennsylvania State University
October 15, 2013 | Steven T. Carmody
Hi, just passing on a couple of news items related to the expanding set of uses for Social Identities: 1) Select Internet2 applications accept google IDs > Individuals can now use their Google IDs to log into four select Internet2 services. The Google Gateway will initially provide access to the InCommon Federation Manager, Internet2’s collaboration wiki, and two applications soon to be used by the Multifactor Authentication (MFA) Cohortium that is supported by Internet2’s Scalable Privacy Project from the National Strategy for Trusted Identities in Cyberspace. Details are at https://spaces.internet2.edu/x/f4OZAg 2) an Educause session highlighting other uses of Social Identities, and a new service to simplify relying n Social Identites: Bring Your Own Credential: Providing Access to Campus Services with Social Identities (Google, Yahoo, Twitter) Thursday Oct 17th...
October 14, 2013 | Dan Malone
Cal Poly, San Luis Obispo currently is recruiting for an Identity Management Analyst. For more information or to apply, please go to: www.calpolyjobs.org #103013 - Identity Management Analyst (Analyst/Programmer - Career), ITS - Information Systems. Salary range $4,314-$8,831 per month. Anticipated hiring range $5,417-$6,667 per month. Open until filled. Review begins Oct. 9. -- Dan Malone dmalone@calpoly.edu Cal Poly State University - San Luis Obispo
October 7, 2013 | Thomas J. Barton
For those who may be interested:

The University of Chicago is seeking an Assistant Director for Identity Management to manage the business analysis, service coordination, programming, and operational functions comprising the Identity and Access Management team, develop new services, and lead technical and functional leads across the University towards appropriate and valuable integration of their systems and activities with central IAM and related services.

UChicago is a leader in national Identity and Access Management activities, working with peers to define and establish innovative ways of managing access through a combination of automation, delegation, and infusing identifiers and attributes into systems and processes where their value can be leveraged.

We are entering a new phase in which our business processes are being modernized, data integration architecture is...
September 30, 2013 | Zdenek Nejedly
My sincere apologies - please ignore the previous email - I sent it to a wrong mailing list. Thanks, Chris, for pointing it out :-) Cheers, Zdenek
September 30, 2013 | Zdenek Nejedly
Hello Kent: The following domains are used/supported by IDEAS. The root path may not return any readable content. http://sso2.identity.uoguelph.ca (Oracle AM) http://apps.identity.uoguelph.ca (D2L SSO middleware) http://docs.identity.uoguelph.ca (reserved for IDEAS content) The following URL is currently supported but the service (Sun AM) will be removed before January 2014 and the domain will be re-purposed http://sso.identity.uoguelph.ca The following hosts the Restore Request and the Storage and Backup team is the owner:...
September 26, 2013 | Dean Woodbeck
Registration fees for the InCommon Identity Week events (Advance CAMP and CAMP) will increase after September 30. If you are considering attending, register soon.

Identity Week will be held November 11-15, 2013, held in Burlingame, California, just south of San Francisco. The event, led by Internet2, will bring together the InCommon community, identity management technical implementers and architects, and U.S. and international leaders in the field of identity and access management.

Each of the three meetings (REFEDS, ACAMP and CAMP) has a separate registration, so you can choose the one(s) right for you. You can see a summary of the the Identity Week meetings at https://spaces.internet2.edu/x/bABtAg, or you can go to http://www.incommon.org/idweek for links to the meetings, programs, hotel,...

September 25, 2013 | Mark B. Jones

All,

I found this article interesting with respect to privacy and permanent identifiers.  In this case Yahoo’s practice of recycling email addresses represents a privacy concern that would have been managed if they followed Google’s practice of maintaining email address as a permanent identifer.

I see this as an example of how privacy gains can be won by use of permanent public identifiers.

http://www.informationweek.com/security/vulnerabilities/yahoo-responds-to-recycled-email-securit/240161791?cid=NL_IWK_Daily_240161791&elq=9bfa0b09104f4ca594980d7dc88091d1

December 8, 2011 | Scott Grissinger


--
Best Regards,
 
Scott Grissinger
704-898-4840

February 1, 2012 | Brendan Bellina
4 years ago when we implemented Google Apps we took the approach that we would have a separate password for Google than for our enterprise systems. Most students were expected to access GA through web SSO anyway so a second password would only be an inconvenience for the few using POP (IMAP wasn't supported until a month before we went live). A lot has changed since then and there is a movement toward giving our enterprise password to Google rather than maintaining a separate password. I would like to know if there remain schools who are maintaining separate passwords rather than synching their passwords to Google. I know there were some who followed our lead back in 2008, but I don't know if they later changed their approach. If you have Google Apps but do not sync your enterprise password with Google, please respond. Thanks. Regards, Brendan Bellina Mgr, IdM USC ITS
January 2, 2013 | Mark B. Jones

1.            What are your university’s current policies/practices for removing student email accounts?

Our IdM system receives data for students from the Registrar’s System of Record.  Based on criteria we get from the Registrar, student accounts are disabled when they are no longer considered students.  Accounts are then de-provisioned after a standard amount of time following being disabled.  I could be more specific but my guess is that there is an 80% chance or better that our specific policies will not work for any other institution.

2.            Do the policies/practices differ for undergraduate students versus graduate students?

No.

3.           ...

March 6, 2013 | Listserv Anonymous User
Message from mike_shore@bcit.ca

Hi all,
 
Our account and email provisioning processes are based on an employee’s start date. However, once in a while we get a request from HR to create a mailbox for a “higher up” (manager or VP) who is starting at some point in the near future. The reasons given include wanting to set up their calendar schedule, start communicating the new the hire, and get them up to speed so they hit the ground running on their first official day of work.
 
I understand this desire, but from a security and liability standpoint we’re not comfortable with creating an “unused” account and mailbox. Even if it is a VP, he is not an employee until date X, so why should he have access to our resources before date X?
 
Do you have policies or procedures in place to provision employees before their actual start date? Technically,...
February 21, 2013 | Paul Hodgdon

I was wondering if anyone had a good example of how they are using GUID’s. We had on our technical requirements for implementing OIM that we needed to generate a GUID.  Does your IdM system do this now and do you store it in your data sources?

 

 

-Paul

IT Accounts & ITSM Applications Manager

University of New Hampshire

Client Services

Primary: (603) 862-2377

Alternate: (603) 862-4242

Paul.Hodgdon@unh.edu

http://accounts.unh.edu

 

April 12, 2012 | R.L. Morgan
I hate to start another SSN thread on this list (see Jan 2011 and Jan 2008), but I will try to constrain the topic. UW is one of those sites that has a "person registry" driving its enterprise IdM, providing identities for accounts, authorization, etc. This UPR gets the usual feeds from source systems (HR, student, alum, extension, partners) and as one of its jobs tries to match person data coming from the different sources. In our case one of the main items we match on is SSN; we get SSNs from the student and HR sources. UW, probably years behind other campuses, is moving toward having a comprehensive enterprise SSN-handling policy. This new doc sets out the acceptable situations for obtaining and using SSNs, driven primarily by federal and state law and regulation. Processes like hiring and student financial aid require SSN, by law, so are explictly permitted. Identity management matching is not required, so is a point of contention. Our IAM team is seeking...
December 18, 2013 | Gary Chapman
Hi.  NYU is doing a bit of investigation that will likely lead to piloting use of
2-factor authentication for selected services and/or users in the coming year.  It 
would be helpful for us to get some quick, current snapshots of where other institutions 
are with respect to implementing 2-factor.  So if you feel inclined, could you answer 
these questions (and add any other comments you wish)?   If there's anything to 
summarize back to the list, I'll certainly do so.

Thanks - Gary Chapman, NYU / Identity Services

1. Name of institution

2. Are you using 2-factor authentication at your institution?

3. If not, do you have plans to do so in future?

4. If you are using 2-factor...

    a) how broadly?...
June 27, 2012 | John C. Borne

Hi all,

 

We are contemplating what it would take to replace our homegrown IdM system at some point in the, hopefully, very near future.  If anyone has done a similar project or exercise in the last couple of years and feels they can share their requirements list, bid specifications, or RFP document, I’d be most appreciative.  If you like, send it to me off-list and it will be held in strict confidence. 

 

Thanks!

 

John B

 

John Borne

Chief IT Security & Policy Officer

Information Technology Services

Louisiana State University

200 Frey Computing Ctr

Baton...

December 5, 2011 | Gary Chapman
I suppose many of us who've built a "person registry" or an "identity database" over the years are, to varying degrees, in the business of distributing various identity-related data to individuals and applications on our campuses. 

In our case, this "service" has grown incrementally over time -- we receive requests for data from those who want a single, authoritative, central source (as opposed to systems of record that focus on a particular constituency, like an HR system).  So we rig up data feeds, add data to LDAP, create reports, maybe even create web services...

Anyway, we're doing some strategic planning, and I'm wondering what we should aim for in the category of identity-related data services.  

* A reasonable business to be in ?   
* How should we make data available going forward ?
* What should...
May 24, 2012 | Bry-Ann Yates

Dear IDM members,

 

We’re working on Identity Access and Management at the University at Albany, including an IdM policy. A question has come up about provisioning accounts for students who are also employees. We’d like to get a sense of whether institutions provide student workers with a single account (to accommodate both roles) or two (one for academics, the other for employment purposes).  Your insights would be appreciated.

 

Elaine Amabile

Associate Director – ITS CSS

University at Albany

(518) 442-3763

November 30, 2011 | Rodney Petersen

(Please excuse the cross-posts.)

 

The U.S. Department of Education Federal Student Aid technology office announced this week at the 2011 Federal Student Aid Conference its plans to issue 90,000 tokens to privileged users who have access to Personally Identifiable Information on FSA systems.  The privileged users will include financial aid staff at your institutions.   More information is available at http://net.educause.edu/ir/library/pdf/CSD6059.pdf

 

We will also feature the Department’s plans next week as part of IAM Online (www.incommon.org/iamonline) scheduled for Tuesday, December 6th, at 3 p.m. ET / 2 p.m. CT / Noon PT....

September 13, 2012 | Pranab R. Pati

Has anyone closely looked at or considered implementing Oracle Access Manager and Oracle Identity Federation in Campus environment?

 

Thanks,

Pranab Pati

Sr. Identity and Access Management Architect

University of San Diego

Email:pranabp@sandiego.edu

Work: 619-260-7553

 

 

 

 

March 25, 2013 | Brendan Bellina
It is my understanding though that the standard attributes (cn and the like) cannot be marked confidential and so are visible to all authenticated users. You could try to use only custom attributes but then most AD-centric products would fail to work because they expect the standard attributes. Managing the AD itself would also become problematic because Microsoft's tools expect you to use the standard attributes. It appears to me that AD remains incapable of properly supporting FERPA requirements and confidentiality requests. I'd love to be proven wrong about this because we do have to support AD for Office365 and several AD-centric products and I am hesitant to support putting more of our enterprise identity data into AD because of this. Regards, Brendan Bellina USC
December 5, 2011 | Keith D. Hazelton
Please offer suggestions to improve the following proposed language (for inclusion in an upcoming version of eduPerson).

        --Keith Hazelton (hazelton@wisc.edu)
_______________

2.2.1. eduPersonAffiliation (defined in eduPerson 1.0); OID: 1.3.6.1.4.1.5923.1.1.1.1

RFC 4512 definition

( 1.3.6.1.4.1.5923.1.1.1.1

          NAME 'eduPersonAffiliation'

          DESC 'eduPerson per Internet2 and EDUCAUSE'

          EQUALITY caseIgnoreMatch

          SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )

Application utility class: standard; # of values: multi

Definition

Specifies the person's...

August 14, 2013 | Listserv Anonymous User
Message from richard.frovarp@ndsu.edu

On 08/14/2013 10:35 AM, Tom Poage wrote: > Hello, > > We're hearing rumors our IT management wants to start using email address as 'loginid' for our SSO (CAS, Shibboleth) and provisioned systems. My gut says 'no', yet I'm having difficulty finding more than passing comments on the issue e.g. "an attacker has half the problem solved in guessing loginid + password" (though recent password strengthening initiatives and the success of phishing renders guessing/cracking much less attractive), and "one's email address may be subject to change" (cf. maintenance effort on downstream systems). > > E.g. Google Apps for Education uses email address as identifier and, although I wasn't involved in the technical analysis/decision, our pilot of Office 365 uses email address (cf. UPN) as login identifier. > > I'm looking for guidance/analysis on the effect of using email address as 'loginid' from the standpoint of security,...
January 29, 2013 | Brendan Bellina
We use two multi-valued attributes to record entry level restrictions and attribute level restrictions. Since FERPA is only one of many reasons you may want to restrict the release of an entry or an attribute, being able to record multiple reasons rather than just a "hasFERPA" type attribute seemed the better approach. ou level ACI's are used to prevent entry release. Entry level ACI's are used to prevent release of individual attributes. Granular level release (public, USC-only, private) is possible, but we don't allow users to directly alter those settings at this time so public and private are the only ones actively used at this time. The Student and Payroll systems are considered to be the systems of record for the privacy settings. When an application is approved by the data stewards to access private attributes and entries the service account it uses for querying is added to a group so that it can access them despite the ACI's. This solution doesn't require the creation of a...
January 25, 2012 | Listserv Anonymous User
Message from dperrin@keene.edu

Hello,

 

I'm working on institutional identity management efforts and a goal to reduce login combinations. I'm very interested in understanding best practices to follow in pursuit of reducing login combinations. Most of our internal applications and externally hosted web applications use application specific authentication sources. Our team will soon be configuring select internal applications for LDAPS authentication.

 

Here's where things get interesting... at least one of our internal applications supports LDAP (not LDAPS). All of our web application vendors support LDAPS but not all of them support token based authentication (like CAS or Shibboleth). I've found little information about when LDAPS authentication with hosted apps would be acceptable - or if it should be avoided at all...

January 3, 2013 | Mark B. Jones

Sorry for cross posts…

 

I’m looking for any published definitions of ‘Electronic Authentication Credential’.

NSTIC calls them ‘Trusted Credentials’ I believe.

 

I seem to see ‘credential’ used everywhere but defined nowhere.

 

Anyone have a URL?

 

Thanks,

 

Mark Jones
Manager, Systems Analyst & Programming  


Academic Technology | Software Engineering|
7000 Fannin | Suite, 780 | Houston, TX 77030 |
713 500 3508 tel | 713 500 0313 fax|

www.uth.tmc.edu/oac

 

July 24, 2012 | Paul Hodgdon

How does your school manage its reconciliation process?  What types of attributes do you use to determine if someone is a match or new person?  Do you do any sort of encryption with values such as SSN? 

 

We are working on a project to centralize identities amongst other campuses and would like input on how other schools are doing this.  One topic of conversation is not using SSN’s for reconciliation, I didn’t know if others had thoughts on this.

 

Thanks,

Paul

 

IT Accounts & Remedy Administration Manager

University of New Hampshire

Client Services

Primary: (603) 862-2377

Alternate: (603...

Close
Close


EDUCAUSE Connect
View dates and locations

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.