Authentication Services Policy

Purpose

The purpose of this policy is to protect the University's network and to protect the security and privacy of any data that is either critical to the business of the University or legally required to be protected by the University and whose access is controlled through UNL Identity Management supported authentication services.

Policy Statement

Services that provide access to non-public or confidential data must integrate with UNL's centralized single-sign-on authentication system using either SAML 2.0 or CAS. It is recommended that services wishing to uniquely identify users do so as well. The preferred authentication protocol is Shibboleth/SAML 2.0. If an application will never have a need for federated authentication, CAS is a secondary option.

The use of multi-factor authentication is strongly recommended when accessing non-public or confidential institutional data.

Any other authentication protocols, or standalone authentication methods for accessing non-public or confidential data must be requested and approved by the Identity & Access Management Steering Committee and comply with the Direct Authentication Requirements prior to access.

Any service that uses a UNL Identity Management operated authentication service must have at least one active full-time benefits-eligible employee designated as the responsible party and one current technical contact person for the service. These cannot be the same person.

Direct Authentication Requirements
All services that present plaintext passwords to a UNL Identity Management operated authentication service, e.g. LDAP or Active Directory, must collect and transmit these credentials over a secured communication channel that ensures end-to-end information integrity and confidentiality such as SSL or TLS.

Any service that uses a UNL Identity Management operated authentication service must not write users’ authentication secrets to any persistent store. A user’s authentication secret must not be maintained in memory beyond the end of the user’s session. Authentication secrets must not be used for any purpose beyond authenticating the user for the service the user is logging into.

Applicability and Scope

This policy applies to all services that use UNL Identity Management operated authentication services, whether managed by the University or by a third party with whom the University has contracted the service(s).
External, non-University, services that are not members of the InCommon Federation may not use UNL Identity Management’s authentication services without review by UNL Identity Management and an approved access request.

Enforcement

UNL Identity Management reserves the right to review services to ensure they comply with these requirements, or appoint a third party to do so. Services found to be violating this policy may be disabled until they are brought into compliance with this policy. Before taking that step, UNL Identity Management will attempt to work with the service owner to determine whether mitigating controls can be put in place to remediate the identified issues until such time as the service can be brought into compliance.

Request forms are available at http://go.unl.edu/idmform
See the UNL Data Security Guidelines for information on data classification.

Contact

If you have any questions as to whether or how this policy applies to your specific server or service, please contact Brett Bieber, UNL Identity Management Coordinator or the UNL Security Team at security@unl.edu.

Responsible Office: UNL Information Services

Responsible Executive(s): Chief Information Officer

Last Update Date: April 8, 2016

Last Review Date: April 8, 2016

Next Review Date: April 8, 2017

Expiration Date: 
April 8, 2017