Single Sign-On (SSO) and Directory Services

Tags sso

Single sign-on uses SAML, which allows you to securely access websites across applications and organizations by using your university username and password.

Single Sign-On

SAML is a two-step process involving authentication, done through a university login using your North Central University credentials, and authorization, where the application such as skyline.northcentral.edu, determines whether or not to grant you access based on the credentials you provide.

Your access persists until you exit your session by closing your browser, or until the session times out, typically after eight hours. To begin a new session, you will need to log in again. If you are accessing sensitive information or personal data, be sure to quit your browser to log out of your SAML session when you are finished to make sure your information remains private.

Whenever possible, IT works with vendors to ensure that their products and services have SSO capabilities that can properly integrate with the university's SSO toolkit.

Directory Services

The University uses multiple directory services to govern access to technology resources. These directory services require a university username and password, check both for validity, and then provision access to services for the account holder. Access is granted based on different factors, such as the user’s status with the university and his/her primary role. Granted privileges can be broad, such as online access to a cloud service like Office 365. Access can also be granted in a very granular fashion, such as enabling read and write privileges for a department file share.

Accounts for individuals and some shared resources are managed by the university's central directory service. User accounts are granted access to university resources via the Enterprise Active Directory service. The Enterprise Active Directory service manages access primarily through group membership. Individual users are granted access to resources based on their membership in groups that have been set up to manage a specific service, system, or family of services.

These directory services and user account privileges are managed primarily by Information Technology administrators.  

Enterprise Active Directory (AD) 

AD is a tool used to authenticate and authorize users who connect to the North Central network with their university username and password. 

SAML

Single sign-on (SSO) allows user to log in once in order to gain access to all systems without being prompted to log in again at each of those systems. The University is using a product called SAML to provide this SSO functionality. 

  • Not all university applications use SAML. 
  • Of the applications that do use SAML, your access to some "SAMLed" sites does not imply that you can access all SAML sites. Your access to an application or site will still depend upon your role in the university as faculty, staff, or as a student.

Benefits

SAML2 (Single Sign On) Enterprise Active Directory
  • Provides single sign-on access. This means that with your university username and password, you can access most University-wide systems. 
  • Provides a centralized authoritative repository of information about network-based resources (such as computers, printers, applications, and file shares). It simplifies the management of these resources while controlling access.
  • Its dependencies include Skyline, Courses, Gmail, Office365, Colleague, and many other services.
  • Provides accountability to ensure a secure computing environment while providing the flexibility to meet the diverse technology demands across the university environment.
  • Functions as a central authentication service for individual identities within the University and to manage university accounts.
    • A key principle underlying the design of the system is that an individual affiliated with the university should have one and only one user account corresponding to their role.
  • Enables departments who use Enterprise AD to access all network-based resources using their university username and password.
  • Enhances network security by centrally managing and standardizing a number of important security functions, including:
    • Account provisioning: determines who receives a university account.
    • Account lifecycle: determines when an account is activated and, more importantly, ensures it is deactivated when it is no longer needed.
    • Monitoring: helps to identify unusual or potentially harmful account activity.
    • Logging: provides important historical information about accounts and devices (often useful in investigating computers that have been compromised).

 

 
Request Service

Details

Service ID: 32306
Created
Thu 1/17/19 11:21 PM
Modified
Sun 8/18/19 2:01 PM