STN-3300.02: Supported Authentication Services

STANDARD SUMMARY

Intended Audience: Information Technology Services (ITS) personnel, IT system owners, service/process owners, Procurement and Contracts owners
Standard Owner: Director of Enterprise Infrastructure Services (EIS)

Information Technology Services (ITS) provides single sign-on authentication for university IT systems and applications when appropriate.

IT systems hosted on-premises shall use one of the following authentication services:

1. Active Directory
2. LDAPS (Secure Lightweight Directory Access Protocol)
3. Apereo CAS (Central Authentication Service)
4. InCommon Shibboleth (legacy applications only)

IT systems hosted in the cloud will use SAML2 (Security Assertion Markup Language 2.0) authentication with Western’s Azure Active Directory as the Identity Provider. Legacy applications and services may use InCommon Shibboleth.

If your system or application requires single sign-on but does not support any of the above authentication services, please contact Enterprise Infrastructure Services for options.

For the complete standard, click "Full Document" tab at top of page.

FULL DOCUMENT

Intended Audience: Information Technology Services (ITS) personnel, IT system owners, service/process owners, Procurement and Contracts owners

Standard Owner: Director of Enterprise Infrastructure Services (EIS)

1. Definitions

Authentication Services: Applications, protocols, and integrations that allow Western Washington University (WWU) users to securely authenticate to Western IT Systems using a common set of university-issued credentials.

Information Technology (IT) Systems: Computer systems and networking infrastructure including hardware, operating systems, software applications, databases, services, automations, and other related technologies for collecting, creating, storing, processing, and distributing information. IT systems are made available to university users for instructional, research, operational, informational, residential, co-curricular, or other purposes related to the mission and function of WWU.

Same Sign-On: An implementation of authentication services in which a user authenticates to multiple systems individually using the same login credentials. The user must re-enter their credentials for each system.

Single Sign-On: An implementation of authentication services in which a user is granted access to multiple systems after authenticating to just one of those systems.

Identity Provider (IdP): The system that provides the username, password, and directory attributes for WWU users. WWU provides authentication via two Identity Providers: Active Directory (on-premises), and Azure Active Directory (cloud).

Service Owner: The individual or department responsible for the IT System administration and/or process ownership of an IT service. The Service Owner will serve as the primary point-of-contact for ITS personnel when ITS provides authentication-related support.

2.  Expectations for Authentication Services

2.1  Compliance with University Policies and Standards

IT Systems shall comply with applicable university policies, standards, and guidelines when integrating with university Authentication Services. Authentication Service integrations must conform to security standards defined by the Information Security Office.

2.2  Use of WWU-issued Credentials for Authentication

All IT services that support integration with WWU universal credentials shall be configured to do so, when feasible. No service should require a unique credential pair, separate from the universal credentials issued to WWU students and staff, if the service is capable of authenticating based on a WWU identity.

2.3 Independence of Authentication Services

The availability of authentication services to an IT system shall not be dependent on WWU Bellingham campus’s connectivity to the internet.

ITS maintains two synchronized Identity Providers: Azure Active Directory for cloud-based services, and Active Directory for on-premises services.

If an IT System is cloud-hosted, it shall (if possible) use Azure Active Directory as its Identity Provider (IdP) to ensure that users may continue to authenticate to the service even if the WWU campus loses internet connectivity.

If an IT system is hosted on-premises, that system shall (if possible) use Active Directory as its IdP to ensure that users on campus may continue to authenticate to the service even if the campus loses internet connectivity.

2.4 Use of “Same Sign-On”

Services will use “same sign-on" instead of “single sign-on" for authentication, unless “single sign-on" can be achieved without inhibiting availability or security of the service.

While “single sign-on” is a convenience that many WWU users have grown accustomed to, the mechanisms necessary to provide it may inhibit the availability of the IT system during an internet outage, or compromise the ability of WWU to secure the system with multi-factor authentication when appropriate. To this end, “same sign-on” shall be considered an appropriate method for meeting the above requirements without compromising the availability and security of the system.

3.  Supported Authentication Services

3.1 On-Premises IT Systems

IT systems hosted on-premises shall use one of the following authentication services:

1. Active Directory
2. LDAPS (Secure Lightweight Directory Access Protocol)
3. Apereo CAS (Central Authentication Service)
4. InCommon Shibboleth (legacy applications only)

Service Owners are responsible for creating the necessary Active Directory objects in the correct organizational unit to provide Active Directory-based authentication. ITS personnel will assist if the Service Owner does not have sufficient privileges in Active Directory to complete the task.

ITS personnel will assist service owners in the initial implementation of LDAPS integrations by providing the service owner with a read-only service account for LDAP queries.

If service owners require SSO via Shibboleth, they must provide ITS personnel with documentation of the required attributes to be released. ITS personnel will configure the release of requested attributes so long as the action does not compromise the security or integrity of sensitive university data. ITS will only maintain Shibboleth authentication for legacy systems that require it, and for any new systems that cannot support another mechanism.

3.2 Cloud-Hosted IT Systems

Authentication for cloud-hosted services will use SAML2 (Security Assertion Markup Language 2.0), with Azure Active Directory as the IdP. ITS personnel will work with the service owner requesting the identity integration to configure authentication.

Some SaaS (Software as a Service) applications are pre-integrated with Azure Active Directory. For applications that are not pre-integrated, ITS requires the following information, at a minimum, to complete configurations:

• Basic SAML Configuration
  1. Identifier (Entity ID)
  2. Reply URL (Assertion Consumer Service URL)
  3. Sign on URL (Optional)
  4. Relay State (Optional)
  5. Logout URL (Optional)
• User Attributes and Claims
  1. Attributes vary by application
  2. Unique user identifier is required (user principal name)

4.  Authority

1. POL-U3000.070: Securing Information Systems
2. WA State Office of the CIO (OCIO) Standard No. 141.10: Securing Information Technology Assets

5.  References

1. Microsoft Documentation: Understand SAML-based Single Sign-on
2. Apereo CAS Documentation
3. InCommon Shibboleth Information

Change Log