EIP provides single login/single sign-on with Microsoft Entra Single Sign-on for the organization. This service allows users to authenticate with their standard UCAR CIT Active Directory (AD) account, and if enrolled, DUO multi-factor authentication (MFA), with applications where a trust has been established. This allows for a more simplified authentication experience for our customers in reducing the number of usernames and passwords needed as well as establishes a more secure authentication method with MFA enabled.
Scope
The purpose of this document is to provide information on the terminology used for the single login infrastructure, outline roles and responsibilities for both EIP and the application owner, and give general information on the technical setup that is needed to create a trust as well as support the trust.
Terminology
| Term | Definition |
|---|---|
| Authentication | Confirming your identity |
| Authorization | Granting access to a system |
| Active Directory | Microsoft’s management technology for managing users and computers access and authorization to our network resources from a single directory. Our domain for UCAR is CIT. |
| Microsoft Entra Single Sign-on (SSO) | Microsoft’s cloud-based single sign- on system used with CIT authentication. A trust is created within Entra ID between Entra SSO and the application. |
| Multi-Factor Authentication (MFA) | DUO is our current MFA solution that is used in combination with your CIT username and password in conjunction with a third method of authenticating including a push to the DUO app on your smartphone. |
| Identity Provider (IdP) | An identity provider implements and manages the framework for authentication and authorization federation. EIP as the administrators of AD, Entra SSO, and DUO are the identity providers for the organization. |
| Service Provider (SP) | The administrator or owner of the application and federation partner with the IdP providing service to the end user. |
Roles and Responsibilities
Roles and Responsibilities for IdP
- Maintain staff and infrastructure to support the AD, Entra SSO, and DUO environments
- Maintain a secure environment using security best practices
- Maintaining accurate and working metadata
- Coordinate with service providers to set up trusts on the Entra SSO side
- Communicate certificate updates, metadata updates, infrastructure upgrades, etc
Service-Level Agreements (SLAs)
Roles and Responsibilities for SP
- Have technical information needed to setup trust on service application side
- Provide technical details needed to IAM team for Entra SSO trust to be setup
- Be prepared to update and test service side whenever changes are communicated by IdP including certificate updates during off-business hours. Provide a point of contact and backup for communications, communicate any changes to these contacts over time.
- Manage end user service questions and authentication issues with SP submitting a ticket to EIP with any issues
Technical Details
In general please start with a ticket request and then EIP will work with you to establish the trust between your application and Entra SSO. Each trust needs the following information in order to be created. At the same time, we have also found that each trust can have an extra component to set up that can only be determined through testing. Please submit a request for a trust to be configured.
The first step is to determine if your environment should be set up in a TEST domain, CIT domain, or both depending on your environment. During the trust setup process, we will test with you to confirm authentication is working with your application. In preparation for a request, the following technical details are needed to get started.
Service Provider (SP) will supply:
- URL for the metadata of the application
- Determine which attributes will be passed for claims; typically this is SAM-Account-Name and Name ID, but others can be used as well.
Identity Provider (IdP) will supply:
- URL for the Entra SSO App Federation metadata, depending on domain
- Logout URL, depending on domain
- Certificate (Base64, Raw, or PEM) - if needed