Skip to main content

General Information

Below are some of the features in the GuestID System. For a more complete list, see the GuestID Basic Functional Requirements document.

GuestID Identifier Format

GuestIDs identifiers have a different format than NetIDs. They are assigned based on the first name and last name of the guest.

For example, the guest "Willie Bob" will receive the GuestID "willie.bob". If another guest already has the GuestID willie.bob, a sequence number will be appended. To improve readability, the digits one and zero will not be used in the sequence number, as they look like the letters O and l. Example: willie.bob2.

For all the rules used in creating a GuestID identifier, see the GuestID Requirements Document.

Authentication and Authorization Overview

There will be separate mechanisms for GuestID authentication and authorization. For example, a newly created GuestID can be authenticated, but will not have permission to do anything until granted by a department.

CUWebAuth has been modified with additional keywords which will allow GuestIDs to be authenticated and authorized.

CUWebLogin has been modified such that either a NetID or GuestID can be entered in the CUWebLogin screen

Authentication

The authentication protocol for the GuestID System is Kerberos 5 (K5).

GuestIDs do not use the KDC used by NetIDs, and have their own KDC running called the Guest KDC. The GuestID KDC runs in a separate realm, and does Kerberos version 5 (K5). It is not configured to do Kerberos version 4 (K4).

Because of security weaknesses in K4, there will be a project during FY06 to migrate Cornell campus services which use K4 to K5. Once all Cornell campus services have migrated to K5, cross-realm authentication between the GuestID KDC and NetID KDC will be possible.

This will allow NetID services to be available GuestID users, if desired. By default, no NetID services will be available to GuestID services, but it will be technically possible to grant access using authorization.

An example is Net-Print, which is currently K4. Once modified to do K5, Net-Print can be available to both GuestID and NetID users.

Authorization

GuestID authorization will be leveraged from another project which will replace the Permit Server used with NetID authorization. This project will produce an improved authorization system which supports both NetIDs and GuestIDs, and will provide a flexible way to delegate permissions and assign authorizations.

Self Registration Page

There will be a Self Registration Page which guests can use to obtain a GuestID. This allows departments the option to have the guest obtain a GuestID without assistance.

GuestIDs obtained this way will have no implied authorization. That is, the guest will not be able to do anything with their GuestID until they are authorized by a department or group.

The self registration page will use "special text graphics" to thwart automated registrations.

New GuestID accounts created via the Self Registration Page must be activated via "e-mail confirmation".

A department may elect to host their own customized self registration page.

Preregistration Page

A department may elect to create a GuestID on behalf of a guest. During creation the department will also be able to grant authorizations to services which it administrates. A Preregistration Page will be available to accomplish this. Only appropriately authorized personnel will have access to this form.

A GuestID account created via the Preregistration Page:

  • Need not have a verified e-mail address
  • Can be active upon creation
  • Must have an expiration date

A department may elect to host their own customized preregistration page.

Authorization Management

A department will be able to create an authorization which they own, and can then assign to a GuestID. Each assigned authorization will have an expiration date. Who assigns each authorization, and when it was assigned, will also be tracked.

No E-Mail Accounts Supplied

Guests may be granted permission to use a variety of Cornell services, but no e-mail accounts will be supplied for guests.

Forgotten Passwords

Guests who forget their passwords can them reset via one of the following methods

Hint. If the guest has selected a hint question and answer, and has previously provided the day and month of their date of birth, they can reset their password upon entering:

  • day and month of birth
  • the correct hint answer.

E-Mail. If the guest has a verified e-mail address, they can have their password reset via e-mail.

HelpDesk. The guest can have their password reset via the HelpDesk if a suitable type of identification is supplied.

Profile Page

A guest will be able to change the following via a profile page:

  • password
  • e-mail
  • Name
  • Hint question and answer (used for a forgotten password)