Authentication Management

Authentication Management

The Division of IT provides several methods for user authentication: Shibboleth Single Sign-On, InCommon Federated Authentication and Lightweight Directory Access Protocol (LDAP). The guidelines for each method are outlined in the Authentication Services Policy.

Each method for user authentication provided by the Division of IT has its own advantages. A brief description of each method follows:

Shibboleth Single Sign-On:

Shibboleth IdP is the preferred method of user authentication. Shibboleth is an open source, standards-based Single Sign-On authentication service for the web. It also allows sites to make informed authorization decisions for individual access to protected resources. Shibboleth consists of two primary pieces: an Identity Provider (IdP) and a Service Provider (SP). There is one IdP system-wide for the University of Missouri, operated by the Division of IT. SPs are operated by the individual application or resource owner. SPs can be University of Missouri applications or an external third party service. An SP may also request to receive attributes describing the authenticated user.

Advantages:

  • Allows University of Missouri faculty, students and staff to use their University credentials to access multiple protected resources while reducing the number of times prompted to enter their credentials.
  • Eliminates the security issues of sharing University credentials with a third party because the credentials are never passed to the protected resource.
  • Facilitates authorization decisions by passing supported user attributes to the resource. It allows resources to accept credentials from Identity Providers other than the University of Missouri.

InCommon Federated Authentication:

The University of Missouri is an active participant and committed to the success of the InCommon Federation, which allows us to establish trust relationships that let University of Missouri faculty, students and staff use their University credentials with other participating organizations, such as:

Incommon Participant Badge

Lightweight Directory Access Protocol (LDAP)

LDAP is available to internal non-web applications. The preferred authentication method for web applications is Shibboleth Single Sign-On. Some applications and custom code require integration with Active Directory to provide user authentication and to query Active Directory object attributes. This can be accomplished in a variety of ways and will be dependent upon the application and/or code language invoked.

There are no fees associated with this service.

The Division of IT works with application or resource owners to setup the integration for authentication. However, departmental requests would need to come through an IT Pro

Shibboleth Service Provider Software-Shibboleth is an open-source, free software. The Service Provider software provides Single Sign-On capabilities for web applications written in any language or framework and integrates with Apache and IIS. Shibboleth Service Provider Software Download

When the Service Provider software is installed, configured and ready to integrate with the University of Missouri System IdP, do the following: 

  • Make sure the Service Provider metadata successfully validates using the Metadata validation utility.
  • Complete the Shibboleth Request Form.
  • Once the form has been submitted you will receive communication via email from the Shibboleth IdP support team. Additional questions and/or approval may be required before setup can begin. Once all questions and approvals have been completed, you will receive an additional email form the Shibboleth IdP support team with instructions.
  • Successful testing against the UM QA IdP is required before integration and setup will be promoted to the production environment.
    • To test, add the line 128.206.56.11 shib-idp.umsystem.edu to the local hosts file on the workstation you are testing from. It is NOT necessary to change this file on your Service Provider server. Once testing is complete, remove the line and notify Shibboleth IdP support via email.

The Division of IT recommends application owners consult the following resources for information when downloading, installing and configuring the Shibboleth Service Provider software:

For additional assistance, contact Tech Support at 573.882.5000.