Phase 2
Phase 2 of the GuestID System will deliver to campus units the ability to create GuestIDs and grant service authorizations to guests.
The following infrastructure components are required to implement GuestID Phase II:
1) A generic self-service application for users to sign up for a GuestID
2) A web-based tool for unit administrators to create GuestIDs
3) A central authorization system which meets the requirements identified in Phase I, most likely open source products Signet and Grouper
4) Tools for unit administrators and/or service owners to assign service authorizations to guests
We have also identified two important policy and process issues which should be resolved prior to the deployment of a campus-wide GuestID service:
1) Decisions, made by the appropriate parties, regarding which applications/information guests may access. For example:
a. By design, identity proofing for GuestID assignment will be less strict than the process used for NetID assignment. An important decision for campus data stewards will be whether certain classes of data will always require the higher level of assurance associated with the NetID.
b. There may be cost considerations which would prohibit Cornell’s ability to provide guest access to some services.
2) CUWebAuth is the software which allows web-based applications to use central authentication services. A service owner can configure the current implementation of CUWebAuth to allow anyone with a valid NetID to access the service. This configuration, if not accompanied with some other form of access control at the application level, will not be acceptable once GuestIDs are widely deployed.