Over the last 10+ years DoIT has developed nearly 200 forms for various offices across campus, providing enhanced business processing options. These forms deliver a better user experience, and a more efficient process while also allowing information to be captured in a structured manner prior to the creation of an RT ticket.
On the evening of 6/23/2020, DoIT applied a security enhancement to address a new issue, referred to as clickjacking, from within these forms. The goal was to provide the necessary security enhancement transparently, with no interruption to campus users.
The DoIT team of Collier Jones, Jacob Lutz, and Paul Riddle collaborated earlier this summer to develop the strategy to deal with this security concern. Once the strategy was determined, Jacob Lutz architected a solution that avoided a major effort of individually adjusting each form used by the community.
While the majority of users were not impacted after the security solution was applied, we were alerted that a few older forms reacted adversely to the change. Jacob was able to resolve the 2 incidents identified very quickly.
How do RT forms and authentication work?
- Authentication is enforced for all UMBC software via Single Sign On. Most campus users experience this as they log into myUMBC.
- Once you have authenticated in a browser session (logged in) you are able to open up many tabs accessing various UMBC software without being prompted to log in.
- If you are already logged in somewhere in a browser session with your UMBC information when initiating a RT form, you will not see any change at all.
- In the past, if the RT form was the initial software to be accessed within that browser session, you would be prompted to login via the normal login prompt below.
Now, however, if the RT form is the initial software to be accessed within that browser session, with the new security, you will be presented with a new Login prompt below.
Upon clicking this Login button a new tab will be created and you will be provided with the familiar, normal login prompt below. Yes, this is an extra step, but it was the only way available to achieve security without some major rework of all your existing forms.
*Note that this only impacts RT forms if they are accessed prior to authentication.