ITS Technical Architecture - Brick
...
- Enterprise AuthN – This function serves as the primary authentication method for UH online applications. UH application developers will find it easy to integrate with their applications. It provides a single-signon context for UH web services.
- Federated AuthN – This function provides a legal and policy framework for UH issued authentication credentials to be used for logging into federated online services at other institutions, select government agencies, etc. It provides a single-signon context for federated web services.
- Multifactor – This function augments web services and RHEL shell authentication by adding a second factor were stronger authentication is required. The “something I have” can be either a soft-token (cell phone, landline) or a hard-token (a USB device).
- RADIUS – UH Wireless Network and eduroam authentication. (1)
- Microsoft AD – A number of Microsoft Active Directory instances have been implemented by ITS, the campuses, and various departments throughout the system. (2)
- ITS Contract Services utilizes Active Directory to support paid-for services such as Exchange. (3)
- A number of campuses and departments have deployed Active Directory.
Experimental |
Strategic (3-5 Years) |
|
Tactical (1-2 Years) |
|
Containment |
Retirement |
|
Emerging Trends:
Passwords are failing as a sole line of defense. Higher Ed is moving toward a common set of tools and practices for supporting multi-factor authentication: <https://wiki.cohortium.internet2.edu/confluence/x/YgBL>.
FIDO alliance is developing complementary international standards for MFA: UAF (passwordless) and U2F (2nd factor):
<https://fidoalliance.org/about/overview/>
<https://fidoalliance.org/assets/downloads/FIDO-U2F-UAF-Tutorial-v1.pdf>Issuers of public credentials (Google, Yahoo, Linkedin) allow individuals to opt-in to MFA if they would like a higher level of security. At some point the UH user community should also expect that they can select a stronger level of authentication for their personal authentication needs.
Multi-Factor Authentication integration was incorporated into the Shibboleth v2 Identity Provider Service (IdP) May of 2014 and is known as the multi-context broker (MCB). Work is underway to incorporate this functionality into CAS, which will allow us to roll out this functionality to our entire UH developer community.
Federated Service Provider (Federated SP) is complementary Shibboleth technology. Currently UH applications developers do not write applications that support federated authentication. In the future select applications may require this functionality. UH users of these applications would experience the CAS user interface, so it would be seamless. Other users would experience the login user interface from their home institutions.
Increasingly, authentication to cyberinfrastructure for research and scholarship is Shibboleth enabled. The Incommon Federation has created a new Research and Scholarship (R&S) category to which UH’s Shibboleth IdP has been registered. As new services register as a R&S service provider they automatically support authentication with UH credentials.
The InCommon Federation has a multi-year plan to require the Bronze level of assurance as the minimal level of assurance. This is in step with similar plans by the Federal Government, its agencies and its laboratories, some of which are also InCommon Federation members. A gap analysis has been performed to determine what UH would need to do in order to be able to assert the Bronze level of assurance with its Shibboleth IdP. Implementing multi-factor authentication will address the most challenging of the Bronze deficiencies noted by the gap analysis report.
...