Authentication Brick

ITS Technical Architecture - Brick   

Authentication

Primary Architect:  Michael Hodges

 Description:     

Authentication establishes the identity of the person using an online services. 

ITS issues UH credentials (username and password) that are used for authentication.  Additionally ITS has deployed for our applications developer community a number of authentication technologies to utilize the UH credentials:

• • Enterprise AuthN – This function serves as the primary authentication method for UH online applications.  UH application developers will find it easy to integrate with their applications.  It provides a single-signon context for UH web services.
  • Federated AuthN – This function provides a legal and policy framework for UH issued authentication credentials to be used for logging into federated online services at other institutions, select government agencies, etc.  It provides a single-signon context for federated web services.
  • Multifactor – This function augments web services and RHEL shell authentication by adding a second factor were stronger authentication is required.  The “something I have” can be either a soft-token (cell phone, landline) or a hard-token (a USB device).
  • RADIUS – UH Wireless Network and eduroam authentication. ⁽¹⁾
  • Microsoft AD – A number of Microsoft Active Directory instances have been implemented by ITS, the campuses, and various departments throughout the system. ⁽²⁾
    • ITS Contract Services utilizes Active Directory to support paid-for services such as Exchange. ⁽³⁾
    • A number of campuses and departments have deployed Active Directory.

Emerging Trends:

• Passwords are failing as a sole line of defense.  Higher Ed is moving toward a common set of tools and practices for supporting multi-factor authentication: <https://wiki.cohortium.internet2.edu/confluence/x/YgBL>.

• FIDO alliance is developing complementary international standards for MFA: UAF (passwordless) and U2F (2nd factor):
  <https://fidoalliance.org/about/overview/>
  <https://fidoalliance.org/assets/downloads/FIDO-U2F-UAF-Tutorial-v1.pdf>

• Issuers of public credentials (Google, Yahoo, Linkedin) allow individuals to opt-in to MFA if they would like a higher level of security.  At some point the UH user community should also expect that they can select a stronger level of authentication for their personal authentication needs.

• Multi-Factor Authentication integration was incorporated into the Shibboleth v2 Identity Provider Service (IdP) May of 2014 and is known as the multi-context broker (MCB).  Work is underway to incorporate this functionality into CAS, which will allow us to roll out this functionality to our entire UH developer community.  

• Federated Service Provider (Federated SP) is complementary Shibboleth technology.  Currently UH applications developers do not write applications that support federated authentication.  In the future select applications may require this functionality.  UH users of these applications would experience the CAS user interface, so it would be seamless.  Other users would experience the login user interface from their home institutions.

• Increasingly, authentication to cyberinfrastructure for research and scholarship is Shibboleth enabled.  The Incommon Federation has created a new Research and Scholarship (R&S) category to which UH’s Shibboleth IdP has been registered.  As new services register as a R&S service provider they automatically support authentication with UH credentials.

• The InCommon Federation has a multi-year plan to require the Bronze level of assurance as the minimal level of assurance.  This is in step with similar plans by the Federal Government, its agencies and its laboratories, some of which are also InCommon Federation members.  A gap analysis has been performed to determine what UH would need to do in order to be able to assert the Bronze level of assurance with its Shibboleth IdP.  Implementing multi-factor authentication will address the most challenging of the Bronze deficiencies noted by the gap analysis report.

Footnotes:

⁽¹⁾ A FreeRADIUS instance is maintained by TI-SAA for campus wireless authentication and two instances are maintained by TI-Networks for local and remote eduroam authentication.

⁽²⁾ Microsoft Active Directory is strategic for select campuses and departments, but not for the UH Enterprise or for ITS.  While ITS does not promote this service, it does support the centralized management of UH credentials and the automation of authorizations deprovisioning.  A growing number of Active Directory domains exist across system.  Only HCC automatically synchronizes their domain’s list of authorized users with UHIMS.

⁽³⁾ There is a long-range plan to upgrade this service to federate authentication utilizing the Central AD Authentication Service.

Change History (most recent at top):

• Brick reviewed by TAC, Aug 2014

• Renamed brick and added Wireless AuthN, eduroam AuthN and Microsoft AD, Aug 2014

• Brick created, Jul 2014

Definitions: