View Source

EIP provides single login/single sign-on with Microsoft Entra Single Sign-on for the organization. This service allows users to authenticate with their standard UCAR CIT Active Directory (AD) account, and if enrolled, DUO multi-factor authentication (MFA), with applications where a trust has been established. This allows for a more simplified authentication experience for our customers in reducing the number of usernames and passwords needed as well as establishes a more secure authentication method with MFA enabled.

Scope

The purpose of this document is to provide information on the terminology used for the single login infrastructure, outline roles and responsibilities for both EIP and the application owner, and give general information on the technical setup that is needed to create a trust as well as support the trust.

Terminology

Term	Definition
Authentication	Confirming your identity
Authorization	Granting access to a system
Active Directory	Microsoft’s management technology for managing users and computers access and authorization to our network resources from a single directory. Our domain for UCAR is CIT.
Microsoft Entra Single Sign-on (SSO)	Microsoft’s cloud-based single sign- on system used with CIT authentication. A trust is created within Entra IDEntra SSO between Entra SSOEntra SSO and the application.
Multi-Factor Authentication (MFA)	DUO is our current MFA solution that is used in combination with your CIT username and password in conjunction with a third method of authenticating including a push to the DUO app on your smartphone.
Identity Provider (IdP)	An identity provider implements and manages the framework for authentication and authorization federation. EIP as the administrators of AD, Entra SSO, and DUO are the identity providers for the organization.
Service Provider (SP)	The administrator or owner of the application and federation partner with the IdP providing service to the end user.

Roles and Responsibilities

Roles and Responsibilities for IdP

Maintain staff and infrastructure to support the AD, Entra SSO, and DUO environments
Maintain a secure environment using security best practices
Maintaining accurate and working metadata
Coordinate with service providers to set up trusts on the Entra SSO side
Communicate certificate updates, metadata updates, infrastructure upgrades, etc

Service-Level Agreements (SLAs)

Roles and Responsibilities for SP

Have technical information needed to setup trust on service application side
Provide technical details needed to IAM team for Entra SSO trust to be setup
Be prepared to update and test service side whenever changes are communicated by IdP including certificate updates during off-business hours. Provide a point of contact and backup for communications, communicate any changes to these contacts over time.
Manage end user service questions and authentication issues with SP submitting a ticket to EIP with any issues

Technical Details

In general please start with a ticket request and then EIP will work with you to establish the trust between your application and Entra SSO. Each trust needs the following information in order to be created. At the same time, we have also found that each trust can have an extra component to set up that can only be determined through testing. Please submit a request for a trust to be configured.

The first step is to determine if your environment should be set up in a TEST domain, CIT domain, or both depending on your environment. During the trust setup process, we will test with you to confirm authentication is working with your application. In preparation for a request, the following technical details are needed to get started.

Service Provider (SP) will supply:

URL for the metadata of the application
Determine which attributes will be passed for claims; typically this is SAM-Account-Name and Name ID, but others can be used as well.

Identity Provider (IdP) will supply:

URL for the Entra SSO App Federation metadata, depending on domain
Logout URL, depending on domain
Certificate (Base64, Raw, or PEM) - if needed