Using Single Sign-On on Shared Machines

I. Background / Introduction

The adoption of single sign-on (SSO) by campus systems requires that special steps be taken when authenticating on a shared machine. Using SSO to log on to university-owned electronic Information Resources (eIR)s requires special practices to ensure the safety of all user accounts and ensure that eIRs are used in ways that are consistent with the university’s mission of instruction, research and public service. The purpose of this policy is to provide proper user education and define the best practices necessary to keep accounts safe and secure while using shared machines and in shared lab environments.

II. Definitions

SSO: (single sign-on) refers to the ability to log in a single time to access multiple services in a seamless manner that does not require re-entry of the user ID and password for the lifetime of the SSO session. This means that signing into one CruzID Gold application allows you to access certain other CruzID Gold applications without having to sign in again.

eIR: (Electronic Information Resource). A resource used in support of university activities that involves the electronic storage, processing or transmitting of data, as well as the data itself. Resources such as computers, terminals, networks, modems, printers, portable electronic devices, telephones, and electronic media.

AUP: (Acceptable Use Policy).  

III. Procedures

The university provides eIRs for use at various computer labs and libraries around campus. It is the responsibility of all faculty, staff, students and other campus affiliates to use these resources as defined by UCSC’s Acceptable Use Policy (AUP). When using SSO there are a series of practices that must be used to adhere to the AUP. Use of campus eIRs is a privilege and all campus affiliates must take initiative to protect the confidentiality of their login information when working at shared locations. Any person found violating computer lab rules may lose their lab privileges as defined by the Policy & Rules for Computer Lab Use.

1. When using a workstation at a shared location, you should always use a private browsing mode.Private browsing modes are meant to not leave behind revealing information such as usernames, passwords, session cookies and other bits of personal information. For more on how to properly use a private browsing mode, see the SSO FAQs.
2. Once finished with a browsing session, make sure to quit the browser completely before leaving. Instructions for completely quitting a browser can be found on the SSO FAQs. Quitting the browser is essential to making sure that no login information is stored locally on the machine. Additionally, any user that comes across a shared device containing login information should quit the browser of the previous user that was logged in. According to the UC Electronic Communications Policy, affiliates are prohibited from seeking out, using or disclosing personal information without authorization and can result in temporary or full suspension of your UCSC account.
3. When possible, it is a good idea to shut down the resource you are on before you leave.

See KB0019056 that provides device setup guidelines for Administrators of shared computers (must be logged to ITR to access KB).

IV. Getting Help

For questions about SSO on shared computers, contact the ITS Support Center at itrequest.ucsc.edu or email/call help@ucsc.edu, 831-459-4357. If you believe another user has gained access to your account because you didn’t follow these best practices, you should report it. More information and instructions on how to make this report can be found at https://its.ucsc.edu/security/report.html.

V. Related Policies and References

• Policy for Acceptable Use of UCSC Electronic Information Resources (“Acceptable Use Policy”)
• ResNet Responsible Use Policy
• UCSC Policy & Rules for Computer Lab Use
• UC Electronic Communications Policy