Information Technology Services
Use of Shibboleth/UCTrust Authentication for UCOP Applications
August 25, 2009
POLICY STATEMENT
RE: Use of Shibboleth/UCTrust Authentication for UCOP Applications
The University has set forth and created an Authentication Federation, known as UCTrust. Most campuses, as well as UCOP have met certain standards in order to join the UCTrust Federation. Members of this Federation are allowed to use UCTrust authentication, which is based on Shibboleth, for their respective memberships to access “Shibbolized” applications. This policy sets forth guidelines for establishing “Shibbolized” applications, i.e., applications at UCOP which can or do use Shibboleth authentication as a means of providing user access to the application.
The following chart defines the types of applications that should use Shibboleth Authentication. Not included are:
- Public content-only sites, i.e., this policy only addresses applications that are either transactional or provide content to privileged users only – in short, those requiring a login for access.
- MS Windows applications that are already tied into AD, e.g. Outlook
This chart should be used by all UCOP departments in their specification of requirements for the development or purchase of any computer application.
|
|
Scope of Application |
Audience |
Example |
Must Use Shib Prospectively |
Must Retrofit Existing Apps |
|---|---|---|---|---|---|
|
1 |
Multiple Campuses |
All Employees – Personal Information |
AYSO, LMS, Connexxus |
Yes |
Yes |
|
2 |
Multiple Campuses |
Selected Functional Areas – Administrative Information |
Web-Account, Retirement Calc Tool, EIAS |
Yes |
No |
|
3 |
Multiple Campuses |
Includes affiliated individuals external to the University |
Education Partnerships |
No |
No |
|
4 |
Departmental Support within UCOP |
Selected Employees – Administrative Information |
HRB Admin Apps, PHP apps developed by WebDev |
Optional, but recommended |
No |