SharePoint Working Group Minutes, September 8, 2008
*Attending*
Jim Ferraiollo, University of Virginia
Paul Caskey, University of Texas
Renee Frost, Internet2
Steve Olshansky, Internet2
Dean Woodbeck, Internet2
Paul Caskey provided an overview of the efforts of the University of Texas System's central office to federate SharePoint. The system has used SharePoint for years, but is interested in federating to relieve help desk pressure, caused by account management issues such as resetting user passwords.
To date, UT has not found a good solution for federating, but is currently looking at 9Star's ActiveShare Federation Service (ASFS). The main problem comes when those external to the UT system office log-in to the SharePoint server through Shibboleth. These users can see all of the information in the database and can open documents, for example. However, they cannot save documents directly to the SharePoint server. The work-around is having these users save a document to their hard drive, using the same filename, then uploading that document to the SharePoint server.
Such a work-flow has the potential for data spills, given the potential for copies of documents residing on numerous hard drives. Paul used the example of an upcoming chancellor search at the University of Texas. The search committee will collaborate via SharePoint, including viewing resumes and accessing interview notes. There is significant concern about having such information residing on multiple unsecured hard drives.
The UT system staff will meet with 9Star next week to discuss these concerns and potential solutions.
There are a couple of possible work-arounds, such as having a user authenticate with Shibboleth through the home IdP, then automatically creating a user ID and password for SharePoint that would expire after 24 hours.
UT uses a number of business applications in SharePoint and funnels the decision-making for access to the application owners. However, with the current ASFS product, mapping SharePoint users into federated groups would mean going back to central management of access to applications, which is not desirable.
Jim Ferraiollo said that the University of Virginia currently creates an account in the Active Directory for external users that demonstrate a need for access. They realize this is not sustainable and are looking for solutions.
The next call is scheduled for Sept. 22, at 2 p.m. EDT.