Project Status: Planning
High-Risk Applications
High risk applications are those that meet any of the following criteria:
- Applications that store or transmit High or Medium risk data. See Penn Data Risk Classification.
- An application outage would prevent any of the following from happening: revenue generation, maintaining critical services, safety operations, or regulatory obligations.
- Application allows for privileged actions that could adversely impact a large number of other systems, data or people (e.g., endpoint management systems, infrastructure management tools.)
WebLogin SSO and Front Door Authorization
To increase protection of Penn’s information, assets, and reputation, high-risk applications must use WebLogin SSO and front door authorization or equivalent access management practices. While these are available for all schools and centers, the initial focus will be part of the SecureIT project.
WebLogin SSO is Penn’s central SAML- and OIDC-compliant identity provider for logging in to web applications. It uses the central university credential, PennKey, and enforces various additional security policies, especially related to multi-factor authentication.
Front door authorization is a feature of WebLogin that adds a layer of access control to the login process. Service/application owners can identify the people entitled to use their app. When logging in, an eligibility check is performed and if the person is no longer a member of that group, access is denied—even if they still have an active PennKey and an active account in the application. It’s an added layer of protection to prevent unauthorized access, especially for apps that don’t have robust access controls or require manual access management. Equivalent functionality would be to have automated access management processes in place.