ADTF 2017 02 01
- Important Single Sign-On (SSO) Information, Action Items for SysAdmins and User Experience
- Dates and Communications for the Cutover of G Suite, Signature Authority and Timecard to CIT Authentication
rwallis, erinmcd, dattilo, hharris, buss, jlampe, gailr, bruckerd, estradar, rjbubon, mark, brandon, ogg, jdister, sandoval, castille, kimn, hoekstra, mperna, fredrick, chartier, aaron, simonw, jtanner
Ramsey leads off with SSO info and action items. Text was e-mailed. All users need to have (and know) CIT passwords before cutover at end of month. Most labs have process complete. List of users who haven’t logged in, last 90 days, provided, in case some need to be contacted individually. Some people confused CIT with UCAS. (That should end on Feb 27!) Will be announcement in Staff Notes Daily.
Will UCAS still be relevant? Yes, there are still web applications that will use it. Number will diminish over time, but this is the “Big Bang.” Will there be a list of sites still using UCAS? Erin has a draft. Dynamic matrix that will be updated as services are converted.
When will ExtraView change over? Probably at next upgrade. Or just replace it!
Erin shares draft document. Link to wiki page on CIT password change. Open to feedback. Some issues when using Anixis portal from domain-joined Mac – Keychain issues.
Are there instructions for Firefox, IE, and Chrome? Yes – maybe not all flavors of all things. Group Policy to configure browsers to permit true SSO. Will post those.
User experience. When connecting from domain-joined workstations, via VPN or internal networks, users won’t be prompted for separate authentication for SSO-enabled applications. Will have form when connecting from outside networks. Then granted session-based token which will work for a limited timeframe (2-5 minutes). Some discussion of details.
Sysadmins will be “first line of defense” for sorting out edge cases.
Shared computers, role accounts.
Discussion on some aspects of managing user objects in CIT domain. How to safely enable other individuals if full sysadmin support not available – some user provisioning tools (next step for IAM project) can help with delegation. Schedulable jobs? Don’t know. Will investigate workflow options through RFP.
Thanks to Simon with the help for start-before-login for AnyConnect. Feedback from testers would be welcome.
CISL/SWEG supports mod_auth_kerb for web sites, have instructions for switching over to CIT authN.
Cleanup of computer and user objects in domain. Is that more important? Are there deadlines? Or is it just “best effort”? Aaron: Likely a deadline, but it’s a way out. Garth will share an addendum to Ramsey’s script that will display computer accounts that have been inactive for over a year. Could help with cleanup.
Any other topics or questions? Kim: What’s the timecard cutover date? Feb 27 after 5:30 PM. Tuesday morning will be when changes are visible. G Suite, Time Card, and Signature Authority will all change at that time.
Should there be a separate OU for collaborators? Aaron’s first reaction: yes.
Wrapped at 11:25.