With the retirement of the Authentication Web Server (AWS), many applications have migrated authentication to the Central Authentication Service (CAS), which supports single sign-on. In addition, campus departments are increasingly using central authentication for new homegrown and purchased applications.
A number of IT staff across campus raised security concerns about the spread of single sign-on with regard to shared public workstations, or kiosks. To address these concerns, the CalNet team worked with members of the CalNet Tech Team (an open forum of campus developers) and the Campus Information Security and Privacy Committee (CISPC) to develop an initial set of Campus Guidelines for Kiosk Workstations.
These guidelines are not meant to be comprehensive or exhaustive; they are a limited set of basic guidelines departments should follow if they provide workstations that are available for use by the general public.
The guidelines focus primarily on
- configuring kiosk machines to minimize the chance that users will inadvertently leave themselves logged in when they leave a public workstation, and
- educating kiosk users so that they don't inadvertently leave themselves logged in.
Configuring kiosk machines
CAS authentication is handled by the web browser. When users log in to CAS, CAS stores a cookie in the web browser that holds that user's authenticated state. If the user does not log out of CAS or quit the browser before leaving a kiosk, the web browser will continue to hold that user's authenticated state. In that situation, the next person to use the workstation to access a CAS-enabled application will be accessing the application as the previous user.
Please note that CAS does not pass a user's CalNet ID and passphrase to other applications, so single sign-on does not pose a threat to compromising CalNet credentials. But since CAS manages a user's authenticated state via the web browser, the guidelines recommend that the web browsers on kiosk machines are configured not to accept cookies from the CAS server. This configuration means that users cannot participate in single sign-on at kiosk machines, and will have to log in to each CAS-enabled application separately. Proper web browser configuration coupled with short application session timeouts, another component of the kiosk guidelines, will reduce the likelihood of users inadvertently leaving themselves in an authenticated state when they leave a kiosk workstation.
User education
A second component of the kiosk guidelines is user education. Many users do not understand how single sign-on works or what risks they may be taking by using kiosk workstations. The guidelines require that signage be placed on or near kiosk workstations informing the user to quit the web browser before leaving the workstation and, if possible, log out of the workstation.
Suggestions for additions or improvements to the kiosk guidelines can be sent to or