EAS Policy

Purpose

The purpose of this Policy is to outline the proper authentication methods for use with the University’s administrative enterprise systems and/or applications.

Responsibilities

Any University of Illinois college, department or organization that has developed and implemented an enterprise administrative application or system is responsible for compliance with this Policy.

Policy Statement

Enterprise Authentication Service (EAS) should be used with all enterprise-wide administrative applications for user authentication purposes.

Exceptions to this policy must be approved by the Enterprise Architecture Committee and Director of Enterprise Systems Assurance and Chief Security Officer

Definitions

Enterprise Authentication System (EAS)

Enterprise Authentication Service (EAS) offered and maintained by Administrative Information Technology Services (AITS) as a single sign-on authentication, authorization, and session management services for many of the University’s enterprise systems. It also serves as the repository for user, permission, group, and enterprise network ID, personal identification number, and security question information. EAS allows applications to authenticate and authorize users in a consistent fashion and without maintaining application specific repositories for this purpose. Furthermore, vended applications and other interested participants can keep local user repositories in sync with EAS by consuming synchronization messages published by EAS on the University’s enterprise service bus (ESB).

Enterprise ID (EID)

EAS uses Enterprise ID (EID) to authenticate users to administrative applications such as UI-Integrate (Banner), PCard, online student course registration, Human Recourses, Payroll, Benefits, Finance, etc. EID is a user id in the uillinois.edu domain, which is a superset of (most) campus Netid’s. Netid’s are user ids assigned by each campus and are used as credentials to access campus specific applications and systems.

Enterprise-wide Administrative Application

An Enterprise-wide Administrative Application is defined as any online service provided within University Administration or across two or more University campuses. 

Background Information

Purchased or internally developed applications and systems often provide the capability of using a standalone user database. Instead of using a “standalone” userid/password repository that’s specific only to the individual software/application, EAS and the Enterprise IDs can be used for this purpose. The EAS functionality allows the reuse of the user’s credentials and reduces the need to for multiple IDs and passwords to service the various enterprise applications. Other benefits for using EAS include:

  1. Single Sign-On – Using EAS allows applications to leverage the enterprise “single signon”. Once users are logged on to an EAS-protected application, they will not be prompted to logon when accessing another EAS-protected application.
  2. Password Rules: EAS enforces password complexity rules and improves our ability to comply with University and regulatory policies
  3. Authentication logging – EAS provides comprehensive and centralized logging of authentication activities. While the detail of logging provided by vended applications might (or might not) be sufficient, it’s generally not easy to aggregate it with other enterprise authentication logs.
  4. Consistent user interface – It’s very important to educate and condition users to only input their enterprise credentials to trusted interfaces, and using enterprise authentication infrastructure provides a single “trusted” interface for users. In other words, we are able to minimize the number of different systems and login prompts that solicit enterprise credentials so that users don’t become used to providing their credentials to “arbitrary” login prompts.

References

A full description of the EAS services and procedures can be found in the EAS Service catalog on the AITS website.