Skip to main content

User Authentication and Authorization via Web Single Sign-On

The Online Passport service is offered by Northwestern Information Technology (IT) to departments and schools who wish to restrict access to their websites or web-based applications. Authenticated protection can include an entire website or individual portions. Some URLs can be publicly open, while others can require membership in specific NetID groups. Access can also be limited to a group of NetIDs such as faculty, undergraduate students, or particular school students. Once authenticated through the Online Passport service, the user is not challenged for NetID/password when visiting other participating websites.


The OpenAM system is comprised of the OpenAM server and the OpenAM Policy Agent. Single Sign-on process:
  1. A user requests a URL in the browser.
  2. The OpenAM Policy Agent on the Web server intercepts the request and checks for the presence of the SSO (Single Sign-on) cookie.
  3. If the cookie is not present, the user is redirected to the OpenAM server and asked to login.
  4. Upon successful login, the user is redirected back to the original URL.
  5. The Policy Agent again intercepts the request, verifies that the cookie is present and valid, optionally checks access control policies (see below), then passes the request on to the web server.
Access Control:
  1. Online Passport can restrict access to your web site (or portions thereof) to standard NetID groups. For example, access to "" might be allowed for any valid NetID, while "" might be restricted to Northwestern faculty.
  2. The authenticated user's NetID is provided to your web applications as an HTTP REMOTE_USER environment variable, so you can make fine-grained access control decisions, and/or use the NetID as a unique session identifier.


In order to use Online Passport SSO, you will need to formally request access for your application (NetID required).

A special username and password will be issued to your application for use in contacting the Access Manager server to retrieve policy information and other configuration data. We will also retain contact information in order to inform you of upgrades, configuration changes, server maintenance, and other outages.

Technical Details

For information on installing and configuring SSO on your system, please review the WebSSO Documentation.

Last Updated: 19 March 2020

Get Help Back to top