Educause Security Discussion mailing list archives
Re: National Student Clearinghouse authentication changes
From: Theresa Rowe <rowe () OAKLAND EDU>
Date: Mon, 10 Nov 2008 15:46:56 -0500
We've just started looking at this here, so we appreciate any insights. We are all likely just starting out, though. Theresa On Mon, Nov 10, 2008 at 11:17 AM, Kevin Shalla <kshalla () uic edu> wrote:
The NSC requirement goes into effect on Jan 1, 2009, so I wonder what schools are doing between now and the end of this year. At 08:58 AM 11/10/2008, Steven Carmody wrote:At 10:01 AM -0600 11/7/08, Kevin Shalla wrote:Now the NSC no longer offers that option, and is requiring us to switch to a system where we authenticate the student, then pass the SSN in the URL to them. Apparently now they want us to do their authentication for them. It seems to me that passing the SSN in the URL would allow the user to simply modify the SSN in the URL to someone else's and then gain access to the information for the person with that other SSN. What are others doing regarding this NSC policy change?Several fall conferences included a presentation describing a current pilot involving NSC and Stanford Univ. They are using a Federated approach, based on industry standard security approaches. Both parties happen to be using the Shibboleth software. However, bottom line, they are using an industry standard -- SAML 2 -- to exchange messages containing personal information that MUST be secured -- and are doing so in a secure and trusted fashion, without exposing the personal info during transit or in log files. (One hopes that with the approach that Kevin describes that the NSC web server logs don't contain the parameters on the url...) With the federated approach, the campus authenticates the student, and then provides trusted assertions to NSC (or any other service provider) to describe the browser user. In NSC's case, this could include the student's SSN (or perhaps a student ID number would work as well?). With this approach, the campus would control which attributes are sent to each service provider (ie the campus will presumably only send SSN to a very small set of very trusted partners). Note that this is a pilot, and there are currently no guarantees that NSC will take this approach to production. I expect that Conferences in the spring will include a report out on the status of this pilot, and describe any future steps.
-- Theresa Rowe Chief Information Officer Oakland University
Current thread:
- National Student Clearinghouse authentication changes Kevin Shalla (Nov 07)
- <Possible follow-ups>
- Re: National Student Clearinghouse authentication changes Alex (Nov 07)
- Re: National Student Clearinghouse authentication changes Steven Carmody (Nov 10)
- Re: National Student Clearinghouse authentication changes Kevin Shalla (Nov 10)
- Re: National Student Clearinghouse authentication changes Theresa Rowe (Nov 10)