CISL provides single login/single sign on with Active Directory Federated Services (ADFS) for the organization. This service allows users to authenticate with their standard UCAR CIT Active Directory (AD) account, and if enrolled, DUO multi-factor authentication (MFA), with applications where a trust has been established. This allows for a more simplified authentication experience for our customers in reducing the number of usernames and passwords needed as well as establishes a more secure authentication method with MFA enabled.
The purpose of this document is to provide information on the terminology used for the single login infrastructure, outline roles and responsibilities for both CISL and the application owner, and give general information on the technical setup that is needed to create a trust as well as support the trust.
| Term | Definition |
|---|---|
| Authentication | Confirming your identity |
| Authorization | Granting access to a system |
| Active Directory | Microsoft’s management technology for managing users and computers access and authorization to our network resources from a single directory. Our domain for UCAR is CIT. |
| Active Directory Federated Services (ADFS) | Microsoft’s single sign on system used with CIT authentication. A trust is created within ADFS between ADFS and the application. |
| Multi-Factor Authentication (MFA) | DUO is our current MFA solution that is used in combination with your CIT username and password in conjunction with a third method of authenticating including a push to the DUO app on your smartphone. |
| Identity Provider (IdP) | An identity provider implements and manages the framework for authentication and authorization federation. CISL as the administrators of AD, ADFS, and DUO are the identity providers for the organization. |
| Service Provider (SP) | The administrator or owner of the application and federation partner with the IdP providing service to the end user. |
Service-Level Agreements (SLAs)
In general please start with a ticket request and then CISL will work with you to establish the trust between your application and ADFS. Each trust needs the following information in order to be setup. At the same time, we have also found that each trust can have an extra component to setup that can only be determined through testing. Please submit a request for a trust to be setup.
The first step is to determine if your environment should be setup in a test domain, CIT domain, or both depending on your environment. During the trust setup process, we will test with you to confirm authentication is working with your application. In preparation for a request, the following technical details are needed to get started.