UNI Login. Authentication



Similar documents
INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

NETASQ ACTIVE DIRECTORY INTEGRATION

Defender Token Deployment System Quick Start Guide

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

CONNECTING TO THE DTS WIRELESS NETWORK USING WINDOWS VISTA

Getting Started with AD/LDAP SSO

Web Meetings through VPN. Note: Conductor means person leading the meeting. Table of Contents. Instant Web Meetings with VPN (Conductor)...

VERALAB LDAP Configuration Guide

How to Use Remote Access Using Internet Explorer

Two-Factor Authentication

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

Faith Lutheran College, Redlands. Install and Setup Office 365

Lenovo Partner Access - Overview

SPEECH REPOSITORY 2.0. Registration procedure

Safewhere*Identify 3.4. Release Notes

Account Activation. Guide

OneLogin Integration User Guide

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

Single Sign-On Guide for Blackbaud NetCommunity and The Patron Edge Online

Remote Access: Internet Explorer

Installation Guide. Before We Begin: Please verify your practice management system is compatible with Dental Collect Enterprise.

SCADA Security. Enabling Integrated Windows Authentication For CitectSCADA Web Client. Applies To: CitectSCADA 6.xx and 7.xx VijeoCitect 6.xx and 7.

Authentication Methods

Copyright: WhosOnLocation Limited

Weston Public Schools Virtual Desktop Access Instructions

Remote Access End User Reference Guide for SHC Portal Access

Managed Security Web Portal USER GUIDE

SHC Client Remote Access User Guide for Citrix & F5 VPN Edge Client

Using Foundstone CookieDigger to Analyze Web Session Management

Topic: ACE Initial Account Access

Configuration Guide - OneDesk to SalesForce Connector

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

How do I Install and Configure MS Remote Desktop for the Haas Terminal Server on my Mac?

Welcome (slide 1) Welcome to the Florida Department of Education Single Sign-On tutorial for federated user login and navigation.

Configuring Color Access on the WorkCentre 7120 Using Microsoft Active Directory Customer Tip

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

Introduction to Webmail for staff

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication. Mobile App Activation

Add in Guide for Microsoft Dynamics CRM May 2012

Accessing UniSIM MyMail For Students and Associates Via Microsoft Office 365. UniSIM - Restricted

Secure Global Desktop (SGD)

Integrating ConnectWise Service Desk Ticketing with the Cisco OnPlus Portal

CA Nimsoft Service Desk

PaperCut Payment Gateway Module CommWeb Quick Start Guide

Dynamic DNS How-To Guide

Configuring Sponsor Authentication

Access your Insurance Agent s web site using the URL the agency has provided you. Click on the Service 24/7 Link.

User guide. Business

Virtual Code Authentication User s Guide. June 25, 2015

ShareFile On-Demand Sync can be installed via EXE or MSI. Both installation types can be downloaded from

Stoneware Inc. Hyland Software OnBase. Stoneware, Inc.

owncloud Configuration and Usage Guide

How do I Install and Configure MS Remote Desktop for the Haas Terminal Server on my Mac?

Web Authentication Application Note

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

WHMCS LUXCLOUD MODULE

OpenClinica SSL VPN Access New User Setup Guide

UAG Series. Application Note. Unified Access Gateway. Version 4.00 Edition 1, 04/2014. Copyright 2014 ZyXEL Communications Corporation

INTEGRATION GUIDE. DIGIPASS Authentication for VMware Horizon Workspace

Egnyte Single Sign-On (SSO) Installation for OneLogin

MIDAS Authorization User Guide. Provider Portal

JusticeConnect AVL for Windows SETUP GUIDE

Electronic Questionnaires for Investigations Processing (e-qip)

WebSphere Application Server security auditing

Document Digital Signature

In a browser window, enter the Canvas registration URL: silverlakemustangs.instructure.com

Enhanced Password Security - Phase I

Setting up single signon with Zendesk Remote Authentication

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Getting Started with StoreGrid Cloud

IIS, FTP Server and Windows

Portal Recipient Guide

Accessing the SUNYIT wireless network for the first time

MULTI-FACTOR AUTHENTICATION SET-UP

DIGIPASS Pack for Citrix on WI 4.5 does not detect a login attempt. Creation date: 28/02/2008 Last Review: 04/03/2008 Revision number: 2

DATA SHEET Setup Tutorial

Preparing your Domain to transfer from Go Daddy

New Help Desk Ticketing System

How Students Log Into IBTP Testing

Mississippi Educator Licensure Management System. Single Sign On User Guide

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

Multi-Factor Authentication Job Aide

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Strong Authentication for Juniper Networks SSL VPN

How to Configure Captive Portal

UAG4100 Support Notes

Manual. Netumo NETUMO HELP MANUAL Copyright Netumo 2014 All Rights Reserved

Enhanced Password Security - Phase I

Savvius Insight Initial Configuration

Online Valuation Portal User Guide

OneDrive for Business from Desktop or Laptop Windows devices

Law School Computing Services User Memo

RemotelyAnywhere Getting Started Guide

Portal User Guide. Customers. Version 1.1. May of 5

Phone Manager Application Support JANUARY 2015 DOCUMENT RELEASE 4.2 APPLICATION SUPPORT

InfoRouter LDAP Authentication Web Service documentation for inforouter Versions 7.5.x & 8.x

MULTI-FACTOR AUTHENTICATION SET-UP

Manufacturing Representative SSL VDM Login User s Guide

Transcription:

UNI Login Authentication UNI C februar 2012

UNI Login Authentication UNI C februar 2012

Authentication with UNI Login 1 Index 1 Authentication with UNI Login... 2 1.1 How does it work?... 2 1.2 How does the application identify itself to the server?... 3 1.3 How does the ticket look?... 4 1.4 How to log out of UNI Login.... 5 1.5 Single Login og group login... 6 1.6 How to integrate UNI Login grafically... 6

Authentication with UNI Login 2 1 Authentication with UNI Login UNI Login is a service that provides authentication, access control and user administration to providers of web-based applications in the educational sector. This document describes the technical interface, which the applications must implement in relation to UNI Login based authentication. 1.1 How does it work? When an application wants to log in a new user via UNI Login, the application redirects the user s browser to a UNI Login-server. This server presents a login form to the user, who enters the username and password: If the user s credentials are approved, UNI Login redirects the user s browser back to the application along with a ticket, which proves that the user is authenticated. The ticket must be validated by the application, which then takes over the responsibility for the rest of the user s session. The principle is illustrated below:

Authentication with UNI Login 3 Browser 2 1 3 Application UNI Login 1) The user contacts the application 2) The application redirects to UNI Login 3) UNI Login redirects back with a ticket. UNI Login supports Single Sign On. When the user has once logged into UNI Login, he will not have to retype username and password for access to other UNI Login-applications during the current browser session. The user will automatically be redirected back to additional requesting applications with an authenticating ticket. This functionality is often perceived by the users as if the different UNI Login applications were integrated. It is possible to avoid this functionality by using Single Login instead of Single Sign On. In this case the user will always be prompted for a password when accessing the application. 1.2 How does the application identify itself to the server? The application identifies itself to the UNI Login-server by specifying the parameter id in the redirect. E.g. the application redirect could look like this: https://sso.emu.dk/unilogin/login.cgi?id=test Every application has a unique id with a corresponding unique common secret. The return URL is often specified as a static URL, but some applications need UNI Login to dynamically return the user to different places in the application. This may be done by specifying the parametres path and auth in the redirect from the application to UNI Login. Parameter Id secret returnurl path auth Beskrivelse Every application has a unique id Unique common secret between UNI C and the provider of the application Default is specified statically by the configuration, but may be set dynamically by the path parameter Contains returnurl. Calculated as URI_ESCAPE(BASE64(returnURL) A fingerprint that authenticates path Calculated as MD5(returnURL+secret)

Authentication with UNI Login 4 Example of a redirect with a dynamic returnurl: https://sso.emu.dk/unilogin/login.cgi?id=test& path=ahr0cdovl3d3dy5lbxuuzgsvyxbwba%3d%3d& auth=59169cb39fab40cb0ad6ade6a6eb491e In the example returnurl is http://www.emu.dk/appl and secret is abc123. The calculations are as follows: path = URI_ESCAPE(BASE64( http://www.emu.dk/appl )) = URI_ESCAPE( ahr0cdovl3d3dy5lbxuuzgsvyxbwba== )= ahr0cdovl3d3dy5lbxuuzgsvyxbwba%3d%3d auth = MD5( http://www.emu.dk/applabc123 ) = 59169cb39fab40cb0ad6ade6a6eb491e 1.3 How does the ticket look? The ticket is encoded into the URL, which UNI Login redirects back to. Below is an example of this: http://www.emu.dk/appl?user=testuser&timestamp=2003050512595&auth=5e55 280df202c8820a7092746b991088 The following three parameters are always present in the redirect: Parameter user timestamp auth Beskrivelse The username of the authenticated user. In the example the username is testuser timestamp A timestamp in the format YYYYMMDDhhmmss., which specifies the time of the ticket issue in UTC (GMT) auth A fingerprint that authenticates user and timestamp. The fingerprint is specified in hexadecimal and computes as MD5(timestamp+secret+user), where secret is a common secret shared by the application and the UNI Loginserver When the application receives the ticket with these parameters, the application must verify that the fingerprint is correct and that the ticket has not previously been used. The application verifies the fingerprint by recalculating MD5(timestamp+secret+user). The value must be the same as received in the

Authentication with UNI Login 5 auth parameter. In the example above the example the common secret used is abc123. Thus the fingerprint gets the following value. auth = MD5( 20030505125952abc123testuser ) = 5e55280df202c8820a7092746b991088 It is possible to verify that the ticket has not previously been used by storing used tickets. An alternative method is to verify that the ticket was issued within a short time window, e.g. 60 seconds. The window has to be shorter than the time it takes to redirect the user s browser. If the time is used to verify the validity of the ticket, it is important that the clock is correctly synchronized on the application server. UNI Login is synchronized with central NTP-servers on the Internet. If auth is valid and the ticket is not a reuse then user is authenticated and the application can now begin a session with user, e.g. by issuing a session cookie. 1.4 How to log out of UNI Login UNI Login supports Single Sign On and consequently an application needs to do more than just close its own session with the user on logout. If the user contacts the application again, the user will get access without having to reenter credentials since UNI Login will still issue a ticket based on the previous login. In addition to closing the applications own session with the user, it is therefore necessary for the logout-process to redirect to UNI Logins logout page in order to also close the users session with UNI Login. The URL to redirect to in order close the UNI Login session is: https://sso.emu.dk/logout Note that UNI Login does not automatically log the user out of other applications that the user might have visited directly or indirectly during the session. The only way to guarantee that every session is closed is to close the browser completely. Consequently it is the general recommendation when using UNI Login Single Sign On to encourage the user to close the browser after use. When logging out of UNI Login the following warning in Danish will pop up:

Authentication with UNI Login 6 1.5 Single Login og group login If the application wants full control over the login-process it may use Single Login instead of Single Sign On. The consequence is that the users will always be prompted for a password when accessing the application, which may spoil the perception of integration between applications in e.g. a student portal or a portfolio. Single Login can be used to e.g. implement group login by letting the users log in individually with Single Login, while their identities are tied together in a group by the application. To use Single Login you must use the server address sli.emu.dk instead of sso.emu.dk. In every other aspect the documentation is unchanged. 1.6 How to integrate UNI Login graphically It is recommended that the textual links in the login button and the logout button are written in the font Arial fat. The text is available in two versions: a short and a long that may be used as appropriate. The font size is 10px/1em. The color of the font should be chosen to ensure sufficient contrast to the background. The buttons are shown below with respectively a light and a dark background: UNI Login Log på med UNI Login UNI Login Log på med UNI Login

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information