Guest Accounts
Overview
Like most organizations, Stanford University controls access to its online resources and assets through a user account and password. The SUNet ID system is Stanford's main computing account system for registered students, regular and emeritus faculty, and staff. Another class of account, the sponsored SUNet ID, is available to anyone with a valid affiliation to current faculty or staff; a monthly charge applies. Yet another class of account, the Guest Account, is needed for the thousands of conference goers, collaborators, and colleagues at other institutions who visit Stanford each year—physically or virtually.
The Guest Account system was created to allow visitors to access restricted web pages and other online resources, without the sponsorship, management, billing, and support requirements of a sponsored SUNet ID. The system combines a single, centralized system and account with special authentication infrastructure.
A Stanford Guest Account:
- Is a self-service account that guests use to access specific resources at Stanford
- Can be initiated by a member of the Stanford community, or can be initiated by anyone who has a valid email address and a need to access certain restricted online resources at Stanford
- Uses the Guest Account holder's external (to Stanford) email address for identification and authentication
- Grants no privileges by default; all privileges are conferred by group management
- Is associated with groups for access control to restricted resources
- Supports automated password resets
How it Works
Guest Accounts are created through an email invitation system. The invitation is emailed to the external address of the invitee by any Stanford faculty, staff, or student. The invitee clicks on a link in the invitation emai,l which goes to the Guest Account creation page. The invitee selects a password and is then authenticated to the Guest Accounts system.
It is the responsibility of the Stanford affiliate sending the invitation to ensure that the person or group receiving the Guest Account is granted access to specific Stanford resources. In other words, a Guest Account does not automatically grant access to any Stanford pages.
Example: An engineering student may wish to collaborate with students at other universities. The student wants to grant access to restricted department and group web pages and resources for a project. S/he sends Guest Account email invitations to colleagues and gives those email addresses to the administrator for the web pages. Once the administrator grants access to the web pages, the invitees are able to click on a link from the Guest Account Invitation email, and view the web pages.
From an application provider's point of view, these are the components of the guest account system:
- The Guest Account web pages: allow invitations to be sent and facilitates password creation and changes.
- The Authentication System: A separate directory, domain, and a MySQL database that stores the information about a guest account and supports an authentication mechanism. These components are maintained by IT Services.
- The Workgroup Manager: Allows providers to add guest account IDs to predefined groups of users. Groups can then be assigned to specific applications and web pages.
- Shibboleth: A software component that obtains the relevant guest group association and other information about the guest account. It passes this information to the authentication system to allow access to specific applications and web pages.
Note: Access to web pages and resources at Stanford is not automatically granted with a Guest Account. Access must be set by an administrator for each Guest Account holder.
Security Considerations and Guest Account Usage Policy
The Guest Account system provides a lower level of security than the SUNet ID system. It is not intended to be a replacement for a SUNet ID. In particular, Guest Accounts should not be used for applications that have HIPAA, Human Subjects, Research, or Stanford-restricted data with other legal restrictions. Please review the Usage Policy to determine if the system is suitable for your needs.
