Policy related to Single Sign On/Central Authentication Services (CAS)

May 27, 2015

Purpose

This policy states Wesleyan’s policy for Single Sign-On service. Wesleyan supports Central Authentication Services (CAS) and SAML 2.0. Wesleyan can support custom implementations when no other options are available.

Scope

The policy covers duration of login and length of valid session as can best be established with current practices.  

Roles and Governance

The practices described are determined and reviewed by the Federation Oversight Committee which includes system administrators, programmers, the Director of User and Technical Services, and the Director of Administrative Systems.  

Trusted and Untrusted Networks

A user can authenticate from either a trusted network - an address on a defined subnet whose access is controlled via Access Control Lists.  Access to these subnets is determined by the user’s role in the University.  An untrusted network is an address from either an on-campus network segment (i.e., labs or classrooms) with far less access to system resources (also controlled by ACL) or from an address outside of the University class of addresses.  

The idle timeout setting for connections from the untrusted network is set to 1 hour. The hard session limit is set to 2 hours.  Any connection from an untrusted network for 2 hours or more will be forced to authenticate again.

The idle timeout for trusted networks is 6 hours and the hard session limit is 12 hours.  

Session Validity

Session as valid until either the hard limit is reached or the browser is closed and the browser supports session removal on close.  

Attribute Request and Release

Wesleyan releases attributes considering a balance of security best practices as well as requirements of services needed.  Any requests for attributes including consideration for those not currently available must go to the Federation Oversight Committee who has the responsibility for maintaining policy in this area.  The committee will share this information with the ITS Directors and CIO as well as confer with data owners as appropriate when making decisions regarding attribute information.

Editing and implementation of the attribute releases is handled by the Unix Systems group.  

The committee and the CIO in conjunction with University counsel are the responsible parties for escalation regarding any identity information released that is in conflict with stated policies.