Profile

CommunityPlatform_1350x900.jpg

David Langenberg

Edit My Profile

My Content

1 to 16 of 16 total

RE: How long do unenrolled students retain access

Posted By David Langenberg 04-25-2023 09:37:47 AM
Found In Egroup: Identity and Access Management \ view thread
If a student unenrolls/withdraws, we start closure immediately which results in them having about 45 days of access before they're fully cut off. If they go on a leave of absence, then their access to things like email continues during the leave period. If they graduate, then we give them about 6 months ...

RE: Options for providing MFA to individuals logging in from countries on OFAC list

Posted By David Langenberg 03-02-2023 03:30:52 PM
Found In Egroup: Identity and Access Management \ view thread
Unfortunately, the "right thing" in this case is to have your institution pursue a license for an exception from the Dept of the Treasury. We first thought Duo was a bit off, but then a few other vendors got on board with the same enforcement. Right now, we apologize to those individuals, explain the ...

RE: Transition of email account- student to employee

Posted By David Langenberg 12-05-2022 07:54:25 AM
Found In Egroup: Identity and Access Management \ view thread
Before you go too far down the road, are you using M365 or Google? If so, you may want to review the TOS because both of those services TOS require 1 account 1 identity by default. Dave David Langenberg Assistant Director, Identity & Access Management | IT Services The University of Chicago ...

RE: Reusing usernames

Posted By David Langenberg 10-05-2022 11:51:50 AM
Found In Egroup: Identity and Access Management \ view thread
Yeah, we see that a couple of times a year, but with email aliases (you can choose up to 5 additional ones). Rather than attempt to filter them out (impossible to get every permutation) or hire folks to review every alias request (expensive, time consuming, and – we're supposed to all be adults here ...

RE: Reusing usernames

Posted By David Langenberg 10-05-2022 09:57:37 AM
Found In Egroup: Identity and Access Management \ view thread
I'm curious how you've seen abuse? We've been letting them choose since 1999 and while there's sometimes questionable choices, the most "abuse" I've come across has been from the systems around here that use algorithms for assignment & the algorithms create profane usernames (either in English or in ...

RE: Reusing usernames

Posted By David Langenberg 10-05-2022 09:37:37 AM
Found In Egroup: Identity and Access Management \ view thread
Hi We try to avoid name-changes if possible. The only cases where we generally permit a change are for gender changes where the old username reflected that person's "dead name" or there's a harassment / stalking issue (with recommendation from university police that we change it). When we do perform ...

RE: Reusing usernames

Posted By David Langenberg 10-05-2022 09:15:38 AM
Found In Egroup: Identity and Access Management \ view thread
When a student indicates that they've accepted admission we enable them to claim their account. Usually starts around January for the fall admits with late April being when the majority claim. Again, usernames are NEVER recycled. We do see some of these folks again in the future. Choose your own adventure ...

RE: Reusing usernames

Posted By David Langenberg 10-03-2022 03:37:08 PM
Found In Egroup: Identity and Access Management \ view thread
Usernames can never be re-assigned here. Mail-aliases are a different story, but once an alias turns into a username, it's that individual's forever. Dave David Langenberg Assistant Director, Identity & Access Management | IT Services The University of Chicago Pronouns: he/him/his Phone: ...

RE: MFA for Students at Secure locations

Posted By David Langenberg 08-19-2022 09:50:45 AM
Found In Egroup: Identity and Access Management \ view thread
We wrote a feature into our MFA management app that enables people to generate a list of MFA codes to be printed out on paper & kept in a wallet. Provides a no-tech way to enter areas like you mention as well as an emergency fallback if something happens to your primary MFA device. See item 3 on ...

RE: changing email addresses to something different than username@domain.edu

Posted By David Langenberg 05-31-2022 01:56:24 PM
Found In Egroup: Identity and Access Management \ view thread
We have a riff on this idea. What we do is your official email address is username@domain. Then we allow our users to claim up to 6 email aliases & provide tooling to enable them to designate an alias as "primary" for the purposes of email. Outlook then sends from your "primary" email alias. When confusion ...

RE: Providing external users access to our makerspace and being able to keep tabs on them.

Posted By David Langenberg 03-31-2022 08:43:24 AM
Found In Egroup: Identity and Access Management \ view thread
We have a few similar setups here. They use our existing sponsored account systems & carding processes. When it comes to the accounts though, depending on the space/facility/use-cases, we tend to give accounts with no birthrights and/or extremely minimal birthrights (wireless only). Email addresses and ...

RE: Requirements for SSO integration with a third-party service

Posted By David Langenberg 03-11-2022 07:22:38 AM
Found In Egroup: Identity and Access Management \ view thread
SAML 2.0 with the vendor being a part of InCommon is overwhelmingly our preferred path. It's almost a no-op to setup, and crazy low maintenance/overhead when we need to do something like a SAML cert-rollover. We do not yet support OIDC. That's on the roadmap for later this spring. Dave David Langenberg ...

RE: Shibboleth - commercial support

Posted By David Langenberg 02-09-2022 05:20:50 PM
Found In Egroup: Identity and Access Management \ view thread
We've had great success with Unicon and IDM Engineering for shib support and enhancements/upgrades/etc. InCommon's shib class is also mandatory training for all of my folks. The shibboleth site also has a list of known commercial support providers (YMMV): https://www.shibboleth.net/support/ Dave ...

RE: Privileged Access Management Solutions / Experience

Posted By David Langenberg 01-11-2022 12:32:56 PM
Found In Egroup: Identity and Access Management \ view thread
We are in the middle of standing up BeyondTrust Password Safe for PAM. No advice or tips yet as we just finished getting it installed and are trying to figure out how we want to roll it out to everybody. Would also love any tips or advice. Dave -- David Langenberg Assistant Director, Identity ...

RE: Recommendations for MFA Hardware Tokens

Posted By David Langenberg 12-14-2021 12:52:22 PM
Found In Egroup: Identity and Access Management \ view thread
We use Yubikey for our tokens. They're simple to use, easy to understand, hold up to abuse well, and if you buy in bulk, Yubico will also hand you a CSV you can quickly load into Duo to pre-register the keys in your instance so they're ready for assignment. We them to our users/departments at our Identity ...

RE: account offboarding confusion & messaging?

Posted By David Langenberg 11-22-2021 12:07:24 PM
Found In Egroup: Identity and Access Management \ view thread
Erica, How often / many notices do you send? When we re-did our offboarding process in 2008, we made it such that we now send everybody at least 6 (down from 10 in original impl) closure notices AND in the middle of the process turn a few noticeable things off just to drive the point home that these ...