Authentication Standard

Purpose

Most applications, whether hosted on-premises or in the cloud as SaaS, require some form of user authentication.  The University's central Identity & Access Management (IAM) system provides three separate, but synchronized, authentication stores and four different methods for primary authentication.

In addition, many applications require the use of a multi-factor authentication (MFA) credential and method in addition to primary authentication with username and password.

Central Authentication

The IAM system provides central authentication for all faculty, staff, students, retirees, and alumni. Applications that support any of the four authentication methods below should leverage central authentication wherever possible.

Primary Password Stores

  1. Active Directory – Windows Domain Controllers (DC)
  2. OpenLDAP – OpenLDAP directory servers (LDAP)
  3. Kerberos – MIT Kerberos Key Distribution Centers (KDC)

 

Primary Authentication Methods (NetID and associated UR password)

  1. Native Windows (Kerberos/LDAP/NTLM) – supported by Active Directory and available on all domain joined Windows and macOS computers
  2. LDAP – protocol supported by both Active Directory and OpenLDAP, however LDAP to Active directory is categorized as native windows authentication in this standard.
  3. Kerberos – supported by Active Directory, but only authentication to MIT Kerberos by Linux clients is referred to as Kerberos in this standard
  4. Single Sign On (SSO; SAML/CAS) – two methods of web browser-based authentication supported by Shibboleth

 

Secondary Device Store

  1. Duo

 

Secondary Authentication Methods

  1. Duo Push
  2. Duo Passcode
  3. Bypass Code

Local Authentication

Many applications support their own local credential stores for the purpose of user authentication. The method is often referred to as native or application-level authentication.  Applications that are small in scope, with a very limited number of user accounts, may be configured for local authentication. Central authentication is always preferred.

Social Identity

May be used for low risk, low impact applications (former students, applicants, alumni, etc.)

Anonymous Access

https://spidertechnet.richmond.edu/TDClient/1955/Portal/KB/ArticleDet?ID=89704

 

Date

Version

Author

Description

10/16/2023

1.0

Greg Miller

Initial Draft

10/20/2023

2.0

Greg Miller

Added anonymous access
Print Article