SSO guidance for UAS editors

Introduction

This guidance outlines principles for publishing non-public content behind ‘Single Sign On’ (SSO) online. Its purpose is to address platform and compliance issues related to SSO implementation on Mosaic as part of the UAS website migration project.

SSO limitations

The Mosaic platform was designed to host external websites and has implemented a large proportion of the Information Security Team’s baseline security assessments. On this basis, it has been formally assessed as being suitable for storing public information. However, Mosaic was not designed for storing non-public data, and there are significant issues with hosting non-public content on Mosaic, including performance and security risks.

This means that Mosaic is unlikely to be the long-term solution for internal content. However, in absence of an immediate alternative, Mosaic will be able to host some SSO content in the short-term.

Guidance on publishing content

Please use the following guidelines when considering where to publish information online: 

1.    Where possible, Mosaic content pages should be made public

Mosaic is a public platform. Placing individual webpages behind SSO is likely to impact the user experience and make content harder to find. The guiding principle is that pages on the platform should be made public (even if the intended audience is internal) unless there is a specific reason not to. 

 

2.    The decision to restrict access to content pages should only be made in the following instances:

 

a.    Making it public is likely to provide a compliance risk to the University. 
For example, making public information about individuals student admissions applications, staff appointments, medical or employment data is likely to breach data privacy legislation.

Content of this type should never be published on Mosaic. It should instead be hosted on SharePoint (or another platform that has been evaluated as secure enough to hold sensitive data by the Information Security team).

 

b.    Making it public is likely to lead to operational or reputational risks.
Some content is not high risk from a compliance perspective, although making it public could adversely impact the University. For example, including the work contact details of employees could lead to an influx of unhelpful calls to staff or put them at risk of harassment, and publishing Preferred Suppliers lists could be damaging from a commercial perspective.

Content of this type should be published behind SSO on the Mosaic platform.

 

3.    Internal (SSO) documents such as Excel, Word, PDF should only be published on SharePoint​​

This will help to reduce potential performance issues on the platform. Public facing documents should continue to be published on Mosaic.

Examples

This table provides an indication of where different types of content should be published. It should be used as a guide when making decisions.

​​​​​

 

Mosaic (public) Mosaic (behind SSO) Sharepoint

All content that does not specifically need to be restricted from public access.

This includes:

  • Public facing documents
  • Committee memberships (non-sensitive topics)
  • Information about internal training 
  • Policy documents (non-sensitive topics)
  • Employee's work email addresses and phone numbers
  • (where the individual has consented to their contact details being made public)

Content on web pages that is likely to lead to operational or reputational risks if it becomes public.

This includes:

  • Preferred suppliers lists
  • Employees’ email addresses and phone numbers 
  • Policy documents on sensitive topics (such as​ security arrangements, exams and disciplinary procedures, building regulations)
  • Committee memberships (where they handle sensitive issues)

NB: The above relates to content pages only. All SSO documents should be published on SharePoint, not Mosaic.

All SSO documents

Sensitive personal data such as:

  • Admissions applications
  • Job applications
  • Medical information
  • Employment information
  • Personal (home) contact details

 

Related content

Content editors should also follow the guidance on writing for UAS websites.

Return to

UAS websites transition homepage
UAS websites editor guidance

Contact

For questions or feedback about this guide email Peter Stockdale

 

List of site pages