For web-based single sign on, you should use Shibboleth authentication instead.
First, if you want to be able to authenticate suppressed users (e.g. FERPA students), you will need a departmental account and request that it be granted permission to search suppressed users. You can use an existing departmental account if you wish, or create a new one specifically for LDAP use.
- Request a departmental account (requires authentication)
- Request access to search suppressed users
- Select the form type you prefer (Microsoft or PDF), select the form for ‘X500 Real Time Data Feed’ .
- Fill out and fax the form to data security. You’ll be contacted before the form is finalized, so if you have questions you haven’t passed the point of no return. A frequently requested attribute is ‘isMemberOf’; while this attribute is not included on the form, the values that are used to construct it are.
- If your application is interested in HR status, be sure to ask for: department, pay code, and appointment status.
- If your application is interested in Student status, be sure to ask for: ‘semester specific information’.
Once access has been granted, we will let you know the Distinguished Name (DN) of your departmental account, which you need for configuration.
The LDAP authentication service requires SSL. It uses a certificate signed by our InCommon Certificate Authority; see that page for information on loading the "AddTrust External Root CA" if your application needs it.
The interaction process for applications generally follows the following pattern:
- Application binds to the directory as a privileged user
- Application searches for the target user using that user’s internetID
- Application retrieves the target user’s distinguished name (dn)
- Application attempts to bind using the target user’s dn and password
- (optional) Application retrieves one of more attributes to be used as criteria for eligibility (e.g. is this person still a staff member?)
This service authenticates users using their Internet password; contact Identity Management if you are interested in using two-factor for LDAP authentication.
Basic connection information
|Bind DN||Your departmental account's Distinguished Name (e.g.
|Bind Password||Your departmental account's password|