Skip to main content

User Authentication and Authorization via Web Single Sign-On

The Online Passport service is offered by Northwestern Information Technology (IT) to departments and schools who wish to restrict access to their websites or web-based applications. Authenticated protection can include an entire website or individual portions. Some URLs can be publicly open, while others can require membership in specific NetID groups. Access can also be limited to a group of NetIDs such as faculty, undergraduate students, or particular school students. Once authenticated through the Online Passport service, the user is not challenged for NetID/password when visiting other participating websites.

Features/Options

The OpenAM system is comprised of the OpenAM server and the OpenAM Policy Agent. Single Sign-on process:
  1. A user requests a URL in his/her browser.
  2. The OpenAM Policy Agent on the Web server intercepts the request and checks for the presence of the SSO (Single Sign-on) cookie.
  3. If the cookie is not present, the user is redirected to the OpenAM server and asked to login.
  4. Upon successful login, the user is redirected back to the original URL.
  5. The Policy Agent again intercepts the request, verifies that the cookie is present and valid, optionally checks access control policies (see below), then passes the request on to the web server.
Access Control:
  1. Online Passport can restrict access to your web site (or portions thereof) to standard NetID groups. For example, access to "http://your-server.northwestern.edu/public/" might be allowed for any valid NetID, while "http://your-server.northwestern.edu/faculty-only-files/" might be restricted to Northwestern faculty.
  2. The authenticated user's NetID is provided to your web applications as an HTTP REMOTE_USER environment variable, so you can make fine-grained access control decisions, and/or use the NetID as a unique session identifier.

Ordering

In order to use Online Passport SSO, you will need to formally request access for your application (NetID required).

A special username and password will be issued to your application for use in contacting the Access Manager server to retrieve policy information and other configuration data. We will also retain contact information in order to inform you of upgrades, configuration changes, server maintenance, and other outages.

Technical Details

Microsoft IIS 6.0, Apache 1.3.33 and Apache 2.0.x are the current preferred web servers. Northwestern IT has experience with these platforms, and local documentation is available to assist you with installation and configuration. Additional platforms are supported by the vendor and Northwestern IT will provide support on an as-needed basis (subject to resource constraints). Note: the agent installation process generally requires that a Java runtime (1.3 or higher) be installed on the web server.

Northwestern's SSO environment is based on ForgeRock’s OpenAM 9.5 (to be upgraded to 11.0.2 in late January 2016). An agent must be installed on each web server to be protected by the system. Documentation for installing agent software on the platforms is below.

Last Updated: 25 July 2017

Get Help Back to top