That's what Indiana University does as well.
From: Identity Management Constituent Group Discussion list [mailto:[log in to unmask]] On Behalf Of Dean Knape
Sent: Wednesday, April 22, 2009 7:49 AM
To: [log in to unmask]
Subject: Re: [IDM] Need freelance CAS developer
This is also the approach NJIT has taken which has worked our very well
We require the first login to the GA account to be via the SSO/SAML
entry point. Once the GA account is a validated and active the user may
choose to enable POP/IMAP and maintain a seperate "Google credential".
The Google credential is managed via a local password set/reset facility
we provide. This solution provides the mobility support demands of our
users without exposing institutional credentials.
On 4/21/2009 4:56 PM, Brendan Bellina wrote:
> This is what we have been doing at USC for the last year.
> Another point to consider though is whether you the Google Account
> lifecycle is the same as your enterprise account lifecycle. If your
> enterprise accounts are terminated after graduation but you want the
> Google Apps service to work for life, then tying GA into your SSO
> environment is going to require that you rethink the account lifecycle
> in your SSO environment.
> On Apr 21, 2009, at 12:48 PM, David Bantz wrote:
>> Another alternative is to allow POP/IMAP access to Gmail account, but
>> with its own unique password.
>> That may sound inconvenient for users, but recognize that many or
>> most will store their POP/IMAP password in their POP/IMAP client
>> anyway so they don't repeatedly enter it.
>> David Bantz
>> On Tue, 21 Apr 2009, at 11:39 , Alan Sill wrote:
>>> Hi Barry,
>>> On Apr 21, 2009, at 2:32 PM, Barry R Ribbeck wrote:
>>>> Be aware that the the following has appeared on this list before.
>>>> Linking your Auth system into Google is fine and does not expose your
>>>> institutional accounts password, however if the user base wishes to use
>>>> PDA access to POP and IMAP function of GMAIL, this will expose their
>>>> institutional credentials and has forced some to rethink the sync
>>>> strategy. This may be something to consider before committing to
>>>> an SSO
>>>> strategy with GMAIL.
>>> Good point. I believe this can be solved completely by requiring
>>> SSL access via IMAP, and not allowing POP access. This is a good
>>> policy regardless of the underlying mail system.
>>> Alan Sill, Ph.D
>>> Senior Scientist, High Performance Computing Center
>>> Adjunct Professor of Physics
>>> : Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 :
>>> : e-mail: [log in to unmask] <mailto:[log in to unmask]> ph.
>>> 806-742-4350 fax 806-742-4358 :