Use of Shibboleth/UCTrust Authentication for UCOP Applications

August 25, 2009

POLICY STATEMENT

RE: Use of Shibboleth/UCTrust Authentication for UCOP Applications

The University has set forth and created an Authentication Federation, known as UCTrust.  Most campuses, as well as UCOP have met certain standards in order to join the UCTrust Federation.  Members of this Federation are allowed to use UCTrust authentication, which is based on Shibboleth, for their respective memberships to access “Shibbolized” applications.  This policy sets forth guidelines for establishing “Shibbolized” applications, i.e., applications at UCOP which can or do use Shibboleth authentication as a means of providing user access to the application.

The following chart defines the types of applications that should use Shibboleth Authentication.  Not included are:

  1. Public content-only sites, i.e., this policy only addresses applications that are either transactional or provide content to privileged users only – in short, those requiring a login for access.
  2. MS Windows applications that are already tied into AD, e.g. Outlook

This chart should be used by all UCOP departments in their specification of requirements for the development or purchase of any computer application. 

 

Scope of Application

Audience

Example

Must Use Shib Prospectively

Must Retrofit Existing Apps

1

Multiple Campuses

All Employees – Personal Information

AYSO, LMS, Connexxus

Yes

Yes

2

Multiple Campuses

Selected Functional Areas – Administrative Information

Web-Account, Retirement Calc Tool, EIAS

Yes

No

3

Multiple Campuses

Includes affiliated individuals external to the University

Education Partnerships

No

No

4

Departmental Support within UCOP

Selected Employees – Administrative Information

HRB Admin Apps, PHP apps developed by WebDev

Optional, but recommended

No