Authentication Types

Reitired: redirected to Compare Authentication Options page https://it.umn.edu/comparison/compare-authentication-options

Authentication Services enables application developers to control access to the tools they create. At the University, this is offered through multiple methods, including LDAP, RADIUS, and Shibboleth.

Students, Staff, and Faculty looking for information on logging into applications using their Internet Accounts should visit the Internet Accounts and Passwords page for more information.

Shibboleth

Shibboleth is an implementation of the Security Assertion Markup Language (SAML) authentication protocol. It enables applications to provide unparalleled fine-grained access control based on user account attributes.

There are two roles in the Shibboleth system in place at the University: the Identity Provider (IdP) and the Service Provider (SP). The numerous SP's are configured to communicate with a particular IdP. When a user visits the SP, the SP directs them to the IdP to authenticate. Then, the IdP responds with the result of that authentication, which is used by the SP to provide the appropriate level of access to the user.

Shibboleth is commonly used in web applications, like Moodle, Lynda.com, and Library resources where a user's status at the University determines their level of access to these resources.

Information about setting up your application as a Shibboleth Service Provider can be found on the Shibboleth Self-Help Guide.

Two-Factor Authentication

For applications that require a higher level of security than a username and password combination, an SP can require that users authenticate through the Duo Two-Factor Authentication System, which provides a second level of authentication (a user must confirm that they have a physical token, generally a mobile or landline phone, in addition to an Internet ID and Password). This second layer is generally enabled in higher-security applications, including enterprise systems that use Human Resources, Financial, or Student Records data.

Information on setting up your application to require a second factor of authentication can be found on the Shibboleth Self-Help Guide.

LDAP Authentication

LDAP Authentication may be useful for providing central authentication for vendor-provided applications. Many packaged software products can be configured to reference an LDAP directory for authentication. LDAP Authentication provides an SSL-protected LDAP interface to the University directory. Information on configuring your application to use LDAP to authenticate users can be found in the LDAP Authentication.

Eduroam

Eduroam is a worldwide federation of servers that facilitates network access for roaming academic affiliates. Eduroam's network is built around well understood, established, and easy to manage standards which are often already deployed within the network infrastructure of educational institutions.

When you logon to the network at another Eduroam participant, your user credentials are not revealed to that institution but instead are only revealed to your home institution -- the U of M. The Eduroam network also provides the University a simple and automatic guest provisioning system: instead of providing a separate visitor network with the added administrative overhead of maintaining user lists, we may rely on a visitor's home institution to authenticate them for the duration of their stay.

Learn how to access Eduroam.