Site Map Online Directory
  Search Information Technology   Northwestern University  
YOU ARE HERE >   NUIT > About > Departments > Information Systems Architecture > Web SSO
Information Systems Architecture

 

Services

Get Connected

Support

Educational Resources

NUIT

User Authentication and Authorization via Web Single Sign-On

The Northwestern University Online Passport service is offered by NUIT to departments and schools who wish to restrict access to their Web sites or Web-based applications. Authenticated protection can include an entire Web site or individual portions. Some URLs can be publicly open, while others can require membership in specific NetID groups. Access can also be limited to a group of NetIDs such as faculty, undergraduate students, or particular school students. Once authenticated through the PassPort service, the user is not challenged for NetID/password when visiting other participating Web sites.

Features/Options

The Access Manager system is comprised of the Access Manager server and the Access Manager Policy Agent.
  • The Access Manager server. A pool of four servers across the Evanston and Chicago campuses that store URL policy information (who is permitted to access what) and provide the user interface for logging in.
  • The Access Manager Policy Agent. This is a module that is loaded into your Web or application server. The agent is responsible for intercepting all URL requests, determining whether the URLs are protected, verifying that the user has successfully authenticated, and enforcing any relevant access policies.
Single Sign-on process:
  1. A user requests a URL in his/her browser.
  2. The Access Manager Policy Agent on the Web server intercepts the request and checks for the presence of the SSO (Single Sign-on) cookie.
  3. If the cookie is not present, the user is redirected to the Access Manager server and asked to login.
  4. Upon successful login, the user is redirected back to the original URL.
  5. The Policy Agent again intercepts the request, verifies that the cookie is present and valid, optionally checks access control policies (see below), then passes the request on to the Web server.
Access Control:
  1. Online Passport can restrict access to your web site (or portions thereof) to standard NetID groups. For example, access to "http://your-server.northwestern.edu/public/" might be allowed for any valid NetID, while "http://your-server.northwestern.edu/faculty-only-files/" might be restricted to NU faculty.
  2. The authenticated user's NetID is provided to your web applications as an HTTP REMOTE_USER environment variable, so you can make fine-grained access control decisions, and/or use the NetID as a unique session identifier.

Ordering

In order to use Online Passport SSO, you will need to formally request access for your application (NetID required).

A special username and password will be issued to your application for use in contacting the Access Manager server to retrieve policy information and other configuration data. We will also retain contact information in order to inform you of upgrades, configuration changes, server maintenance, and other outages.

Technical Details

Microsoft IIS 6.0, Apache 1.3.33 and Apache 2.0.x are the current preferred Web servers. NUIT has experience with these platforms, and local documentation is available to assist you with installation and configuration. Additional platforms are supported by the vendor and NUIT will provide support on an as-needed basis (subject to resource constraints).
  • Microsoft IIS 6.0. Tested successfully on Windows Server 2003 and Server 2003 R2, SE and EE.
  • Apache 1.3.33, Apache 2.0.x. Tested successfully on Solaris 8 and 10 (Sparc). Apache 2.0.x has proven to be a much better choice and interested users should consider upgrading to Apache 2.0.x before working with SSO. The Apache agent is also supported on Red Hat Enterprise Linux 3.0 (including 64-bit version), Solaris 9 & 10 (x86), and Windows Server 2003. NUIT does not yet have experience with these platforms, but will work with you to install and configure the agent on these systems, and document the process for future users.
  • Tomcat 5.5
  • BEA Weblogic 8.1
  • Domino
  • IBM WebSphere 5.1.1 & 6.0
  • Sun Application Server 8.1
  • Sun Java Web Server 6.1
  • SAP Enterprise Portal & WebAS 6.40
Note: the agent installation process generally requires that a Java runtime (1.3 or higher) be installed on the Web server.

Northwestern's SSO environment is based on Sun Microsystems' Access Manager version 7.0. An Access Manager agent must be installed on each Web server to be protected by the system. Documentation for installing agent software on the platforms is below. We recommend you download both the vendor documentation and the NU documentation (see links below - some require NU NetID). Review the vendor documentation to gain an overall understanding of how the product works, then follow the steps in the NU documentation to install the software on your Web server.

Additional Information

 Back to top

Support Contact

 Back to top

Information Systems Architecture (ISA)

847-467-4120
teb@northwestern.edu

  Back to top

Computer and Network Security (Virus Alerts)

CONDUITS Online

E-mail Defense System (EDS)

E-mail, NetID, and Passphrase/Password

Hardware

Listserv

Network Services

NUTV and TV Services

Policies, Guidelines, and Related Documents

Reserve a Facility

Service Status

Software

Telephone Services

Videoconferencing Services

Web Publishing Services

Webcasting

WebMail

Connecting from Off-Campus

Connecting from On-Campus

Departmental Desktop and Server Support

NUIT Help

Student Support

User Authentication Services (LDAP)

Computer Labs

Course Management System (Blackboard)

Interactive Fact Sheets

Learning Opportunities

Smart Classrooms

About NUIT

Job Opportunities in NUIT

News and Publications

NUIT Intranet

What's New & Changing with Technology @ NU?