...
- Web SSO authentication via Entra
- Web SSO authentication via Shibboleth
- Web SSO is the preferred authentication method for applications within the University network. If an application supports Shibboleth, it is required to use it, unless the service has been granted an exception by the CISO. Single Sign-On is most effective if it is adopted by the largest number of applications. It is also a more secure method of handling the NetID and password since the application itself never sees it.
- Web SSO provides two-factor, which provides a greater level of security and is required when available.
- New applications must operate within this Web SSO environment. If the standard product cannot operate in this way, an exception request must be submitted to the CISO along with a rationale about why this product is the preferred solution.
- Active Directory authentication
- The definition of the central Active Directory schema is managed by ITS.
- Schools and divisions may not operate a dedicated AD Domain or Forest for authentication.
- The application software must not require superuser or write access to the Active Directory in order to authenticate users and retrieve attributes.
- All connections to Active Directory must be completed in a secure fashion, using SSL or something that provides a comparable security level.
- LDAP authentication via 389
- Access to LDAP Registry authentication services are by request only and are limited to specific application credentials at specific IP addresses. Anonymous binding to the LDAP Registry is not supported.
- Connection to the LDAP Registry must be over an LDAPS (SSL protected) protocol link.
- The definition of the LDAP Registry schema is managed by ITS and extension to accommodate additional data elements is reviewed on a case-by-case basis.
...