January 27, 2006
Single Sign-On Eases Headaches, Especially on February 15
Hopefully by now you are acquainted with the university's single sign-on service, CAS. You appreciate how much easier it makes your day. You get to work in the morning, sign on, and don't worry about specifying your password again and again and again. Well, that isn't accurate. There are still numerous services that haven't been converted to CAS. Some are for political reasons. Some are for technical reasons. Although ITS has internally tested CAS with the portal, webmail, the web Oracle calendar, and even Blackboard, these services haven't been converted chiefly because the current CAS server won't let users with passwords older than September 1999 log in.
The next version of the CAS service (which is due for deployment any day now) corrects this issue. It also looks branded and even allows special users defined in LDAP to log in. For service deployers, this should be enough to convince you to convert your service. If not, you will pay dearly come February 15.
The upgraded CAS service features something no other current login method at Case will: friendly integration with the new password policies. When your password expires, your account is disabled. You will not be able to log in from anywhere. The only thing you can do with your old password is use it to change your password. However, when you log in to CAS with your expired password, CAS will say "Your password has expired. Please use the Password Change Page to change your password." SITES NOT USING CAS WILL NOT BE ABLE TO DISTINGUISH BETWEEN A BAD PASSWORD AND AN EXPIRED ONE. Users will visit these non-CASified sites and enter their password over and over, confident it is correct. Frustration builds up. These services aren't programmed to check for an expired account. They just check whether the password works, which the password policies dictate it won't. People will get upset they can't use your service. They have no idea why. They file trouble tickets with the Help Desk. They call you. They e-mail you. Loss of productivity ensues.
CAS exists for user convenience and for peace-of-mind with information security. I HATE typing in my password to access a site. After all, that password is available to that site to do what they want. There is nothing stopping a web site operator from putting up a site that requires my password, then takes that password and logs in to the the e-mail server as myself and downloads all my mail. They can bind to the LDAP as me and obtain my personal information. They can log in to other services as me. Your Case ID password should be yours and yours only. You should only need as few times as possible. CAS makes that possible.
For all the system administrators out there who haven't deployed CAS yet, I implore you to do so. You will be conveniencing the users of your services as well as securing some peace-of-mind come February 15.
Trackback
You can ping this entry by using http://blog.case.edu/gps10/mt-tb.cgi/5548 .
Comments
Mentioned this in the post The Benefits of Single Sign On
for the case of a person's account whose password has expired and they need to renew it. On a system using it's own authentication form (even if it is against our Kerberos or LDAP services), it must be configured separately to give out such helpful links and information. Obviously, with n apps all doing their own authentication, all of them need to be configured to do this themselves – duplication of work. Or, even worse, having the external apps not configured at all and they just say, "your password sucks; go away!" with no helpful information.
So does an expiring password mean that someone hasn't changed their password before the Feb 15 only, or because they are going to be expiring regularly from now on? I haven't seen any confirmation of regular expiration, and the fact that you could reuse your previous password would seem to imply that this was a one-time event...
It is my understanding that people will have to change their password every N months. Unfortunately, I cannot find any information about that policy. I'm not sure if Feb 15 is "let's eliminate the need for Kerberos 4" or "the new policy is in full effect" Day. I am pretty sure the end goal is instituting a system where passwords routinely expire.
After talking with someone in the know, February is simply a flag day when all the passwords will expire. There is no policy in place that says these new passwords will expire after a period of time. I wouldn't count it out for the future, however...
I love the concept, but a few practical drawbacks hold me up from using CAS:
- seems like a monster to get it working under IIS (I know I know, but even ITS has a few applications that require IIS).
- being redirected to the CAS login page doesn't provide a seamless user experience within an application. So I can authenticate a user and but then have to display an error message on a subsequent page if their credentials don't meet what I'm looking for beyond just a valid ID (not to mention the time and money spent converting to the web templates).
- one size doesn't always fit all. sometimes an application needs to provide "helpful links" beyond what might be on the CAS login page (for example, incoming students should mention they aren't students yet when they contact the Help Desk with ID/password problems).
But I'll make you a deal, Greg: you figure out how to do it using classic ASP and I'll implement it. ;P
https://opensource.case.edu/projects/CAS/wiki/CASP is an ASP library written by someone at Case to do the CAS login. The CAS protocol is very simple to program. The complexities arise when doing proxied authentication, which 99% of the time you don't need to do.
Regarding the seamless user experience, CAS 3 (which will be deployed before Feb 15) supports different skins depending on the service accessed. However, implementing has been decided against b/c we want a user to know when he or she logs in to CAS. Imagine, "I didn't know I logged into the SSO service and someone could use my account."
If you have suggestions about what information needs to be provided on the CAS login page, please e-mail sso-admin@case.edu with them. We want CAS to be as easy to use as possible.
But wait, if their password wouldn't work, why wouldn't they go to the help web page? I mean, they can't be so damn certain it should work, since they haven't used it for months or whatever, and since it doesn't work for any other services, right?
+C
Greg,
Have you heard of anyone on campus using CAS with RT? We use RT for our internal ticket tracking, and I think other departments (EECS?) uses it for a few things as well.
How do you think. If I quit using internet... No, CAN I quit?
I know, ask me. Also some interesting sites.
I present to you this cool site about Tramadol
May be its help you to find him...
Best price for:
prom dress [url=http://www.blogsharing.com/prom/2241/]prom dress[/url]
http://www.blogsharing.com/prom/2241/ prom dress
Best price for:
prom dress [url=http://www.blogsharing.com/prom/2241/]prom dress[/url]
http://www.blogsharing.com/prom/2241/ prom dress
paxil side effects [url=http://www.oiepmis.bia.edu/_disc2/000017d0.htm]paxil side effects[/url]
paxil side effects [url=http://www.oiepmis.bia.edu/_disc2/000017d0.htm]paxil side effects[/url]
paxil withdrawal [url=http://www.siena.edu/boswell/_disc10/00000261.htm]paxil withdrawal[/url]
carisoprodol online [url=http://farmweb.jrc.cec.eu.int/CRELL/_kbas/000001bc.htm]carisoprodol online[/url]
carisoprodol online [url=http://farmweb.jrc.cec.eu.int/CRELL/_kbas/000001bc.htm]carisoprodol online[/url]
buy carisoprodol [url=http://www.socwel.ku.edu/discussions/SW981/_disc1/0000414b.htm]buy carisoprodol[/url]
buy carisoprodol [url=http://www.socwel.ku.edu/discussions/SW981/_disc1/0000414b.htm]buy carisoprodol[/url]
order carisoprodol [url=http://www.etsu.edu/ptfaculty/_kbas/0000125d.htm]order carisoprodol[/url]
buy carisoprodol online [url=http://facweb.cs.depaul.edu/mobeirne/_kbas/00000159.htm]buy carisoprodol online[/url]
Girls, have fun, not boys
oebdnzg lqvo kreumo zdelymq jhcm zhtro abms
I present to you this site:
carisoprodol
[url=http://ecarisoprodol.org][/url]
http://ecarisoprodol.org
cialis soft
[url=http://z.la/g6v4m ]
cheap cialis
[/url]
cialis soft
[url=http://z.la/g6v4m ]
cheap cialis
[/url]
cialis sale
cialis impotence drug eli lilly co
[url=http://kat.cc/019c26 ]
cialis free sample
[/url]
cialis sale
cialis impotence drug eli lilly co
[url=http://kat.cc/019c26 ]
cialis free sample
[/url]
Check this:
[url=http://www.dreipage.de/userdaten/79068443/html/culos-gratis.html]culos gratis cheap order online[/url] [url=http://www.dreipage.de/userdaten/79068443/html/el-telefono.html]cheap online culos gratis[/url] [url=http://www.dreipage.de/userdaten/79068443/html/horoscopo-chino-gratis.html]horoscopo chino gratis order discounts[/url]
Check this:
[url=http://www.dreipage.de/userdaten/79068443/html/culos-gratis.html]culos gratis cheap order online[/url] [url=http://www.dreipage.de/userdaten/79068443/html/el-telefono.html]cheap online culos gratis[/url] [url=http://www.dreipage.de/userdaten/79068443/html/horoscopo-chino-gratis.html]horoscopo chino gratis order discounts[/url]
Check this:
[url=http://www.dreipage.de/userdaten/79068443/html/culos-gratis.html]culos gratis cheap order online[/url] [url=http://www.dreipage.de/userdaten/79068443/html/el-telefono.html]cheap online culos gratis[/url] [url=http://www.dreipage.de/userdaten/79068443/html/horoscopo-chino-gratis.html]horoscopo chino gratis order discounts[/url]
jenna jameson naked
[url=http://kuso.cc/1cn@ ]
fucking jenna jameson
[/url]
jenna jameson clips
[url=http://kuso.cc/1cn@ ]
jenna jameson movies
[/url]
jenna jameson clips
[url=http://kuso.cc/1cn@ ]
jenna jameson movies
[/url]
jenna jameson clips
[url=http://kuso.cc/1cn@ ]
jenna jameson movies
[/url]
jenna jameson sex
[url=http://kuso.cc/1cn@ ]
jenna jameson sex
[/url]
jenna jameson sex
[url=http://kuso.cc/1cn@ ]
jenna jameson sex
[/url]
jenna jameson sex
[url=http://kuso.cc/1cn@ ]
jenna jameson sex
[/url]
Check this:
el telefono buy online no prescription online no prescription mujeres desnudas gratis
Check this:
[url=http://www.dreipage.de/userdaten/79068443/html/mujeres-desnudas-gratis.html]order online lowest price el telefono[/url] [url=http://www.dreipage.de/userdaten/79068443/html/musica-gratis-stratovarius.html]culos gratis lowest price order online[/url]
Check this:
[url=http://www.dreipage.de/userdaten/79068443/html/mujeres-desnudas-gratis.html]order online lowest price el telefono[/url] [url=http://www.dreipage.de/userdaten/79068443/html/musica-gratis-stratovarius.html]culos gratis lowest price order online[/url]
Check this:
[url=http://www.dreipage.de/userdaten/79068443/html/mujeres-desnudas-gratis.html]order online lowest price el telefono[/url] [url=http://www.dreipage.de/userdaten/79068443/html/musica-gratis-stratovarius.html]culos gratis lowest price order online[/url]
big tits
[url=http://ttu.cc/3690 ]
huge tits
[/url]
teen tits
[url=http://ttu.cc/3690 ]
tit
[/url]
teen tits
[url=http://ttu.cc/3690 ]
tit
[/url]
young tits
[url=http://ttu.cc/3690 ]
huge tits
[/url]
young tits
[url=http://ttu.cc/3690 ]
huge tits
[/url]
nice tits
[url=http://s-url.net/0q8f/ ]
black tits
[/url]
nice tits
[url=http://s-url.net/0q8f/ ]
black tits
[/url]
Check this:
[url=http://www.dreipage.de/userdaten/79068443/html/office-xp-manuales-free-gratis.html]discounts buy musica gratis stratovarius[/url] [url=http://www.dreipage.de/userdaten/79068443/html/sexo-gratis.html]gratis order online discounts[/url]
small tits
[url=http://shrinkurl.us/tiny-tits ]
huge tits
[/url]
teen tits
[url=http://shrinkurl.us/tiny-tits ]
small tits
[/url]
young tits
[url=http://shrinkurl.us/tiny-tits ]
perfect tits
[/url]
young tits
[url=http://shrinkurl.us/tiny-tits ]
perfect tits
[/url]
cialis forum
[url=http://atk.jp/qpyo ]
cialis
[/url]
cialis forum
[url=http://atk.jp/qpyo ]
cialis
[/url]
big tits
[url=http://atk.jp/vsod ]
perfect tits
[/url]
big tits
[url=http://atk.jp/vsod ]
perfect tits
[/url]
tit
[url=http://atk.jp/vsod ]
tits
[/url]
As for me, I like dress shoes womens
cialis impotence drug eli lilly co
[url=http://rubyurl.com/8Av ]
buy cialis online
[/url]
cheap cialis
[url=http://rubyurl.com/8Av ]
cialis drug
[/url]
cialis online
[url=http://rubyurl.com/8Av ]
cialis online
[/url]
cialis online
[url=http://rubyurl.com/8Av ]
cialis online
[/url]
cialis online
[url=http://rubyurl.com/8Av ]
cialis online
[/url]
Kindzmarauli vs conyaq, or some...
generic cialis
[url=http://url.vg/sxxxx/a9482d/cialisgenericcialisbuyci ]
cheapest cialis
[/url]