Authentication and Authorization Services

Service Description

CA SiteMinder

SiteMinder is the new Web Access Management system used by the University of Illinois. This system provides the following Identity and Access Management functions:

  • Authentication (AuthN): Authentication or logon is the process by which users are challenged to prove their credentials to the system or application they are trying to access. This process can be as simple as providing a user ID and password, or by using multi-factor authentication such as using certificates as well as user ID and password
  • Authorization (AuthZ): Authorization is the process of ensuring that authenticated users have the right privileges (the minimum amount of access required to carry out their assigned duties) to access University resources. SiteMinder may leverage the following methods for authorization: LDAP/AD groups, different user stores and user attributes (data about users).
  • Single Sign-On (SSO): SSO is the process by which users are challenged to authenticate once and access multiple applications and systems without being challenged again during the same session.
  • Multi-factor Authentication: This process is the combination of more than one type of authentication. This type of authentication may include some thing you know combined with something you have. For instance, the something you know is your user id/password and the something you have is a certificate or a code stored on your device. Although this feature is available in SiteMinder, it will not be used until later stages of the IAM project.
  • Federation: In the simplest terms, federation is the ability to leverage users credentials from other institutions to access resources protected by SiteMinder and/or leverage University of Illinois credentials to access external resources. Currently the University of Illinois uses Shibboleth for federation, which will be integrated with SiteMinder authentication.

SITEMINDER INSTALLATION PROCESS
Required Items to Request an Agent Installation

To request a web agent installation, you will need to provide the following information:

  1. Name of department requesting the installation
  2. IP addresses of the server(s) being protected
  3. Host Name(s) of the servers
  4. URL(s) being protected
  5. Operating system of the web/application server being protected. Give the specific version of Windows, Linux, or UNIX. Specify whether 32/64-bit
  6. Type of Web/Application server (Apache, Tomcat, IIS, etc.)

How to Request Agent Installation
To request an agent installation over the web, go to http://web.uillinois.edu/iam/siteminder/siteminder_requests.

To request an agent installation over email, send an email to siteminder@uillinois.edu. Please include the required items listed in the section above (Department, Server IP Addresses, OS Platform, etc.)

To Install the Web Agent

To install the web agent using Linux, please go to http://web.uillinois.edu/iam/siteminder/siteminder_installation_process/linux/

To install the web agent using Windows, please go to http://web.uillinois.edu/iam/siteminder/siteminder_installation_process/windows/

To install the web agent on a CITES SMG supported system please go to https://wiki.cites.illinois.edu/wiki/display/SMGPub/SiteMinder+for+Web+Access+Management

How Applications Use SiteMinder
When an application is protected by a SiteMinder agent, it will require the user to authenticate before accessing the protected application. SiteMinder will also identify the authenticated user to the protected application. This identification occurs by providing HTTP headers that can be read by the protected application.

The following are a list of standard headers that will be provided to all protected applications as well as a supplemental list of headers that can be provide upon request to legacy Bluestem applications.
Standard HTTP Headers

  • SM_USER: jsmith
  • SM_USERDN: uid=jsmith,ou=Production, ou=People, dc=uillinois, dc=edu
  • DISPLAY_NAME1: John Smith
  • DISPLAY_NAME2: Smith, John
  • UIN: 111111111
  • LAST_NAME: Smith
  • FIRST_NAME: John
  • REMOTE_USER: jsmith

Supplemental Bluestem HTTP Headers (Available upon request)

  • BLUESTEM_ID: jsmith
  • BLUESTEM_USER: jsmith
  • DOMAIN: illinois.edu
  • AUTH_METHOD: AD

For access problems, questions, or comments, contact the AITS Help Desk at 217-333-3102 (Urbana/Springfield) or 312-996-4806 (Chicago). You can also e-mail the AITS Service Desk at servicedeskaits@uillinois.edu.

Enterprise Authentication Service (EAS):

EAS is a single sign-on authentication, authorization, and session management service offered by AITS for many of the University’s enterprise systems. It also serves as the repository for user, permission, group, enterprise network ID, personal identification number, and security question information. EAS allows applications to authenticate and authorize users in a consistent fashion and without maintaining application specific repositories for this purpose. Furthermore, vended applications and other interested participants can keep local user repositories in sync with EAS by consuming synchronization messages published by EAS on the University’s enterprise service bus (ESB).

EAS uses NetID to authenticate users to administrative applications such as UI-Integrate (Banner), PCard, online student course registration, Human Recourses, Payroll, Benefits, Finance, etc.

EAS Policy:
Enterprise ID and/or Enterprise Authentication Service (EAS) must be used with all enterprise wide administrative applications for user authentication purposes. Administrative applications include, but are not limited to, Banner, online student course registration, Human Recourses, Payroll, Benefits, Finance and all newly developed web-based applications.

The implementation of this policy is the responsibility of any University of Illinois college, department or organization that has developed and implemented an enterprise wide administrative application or system.

EAS Services:
    1. A service gateway and repository that are the authoritative source for sessions, users, permissions, network ID assignments, groups, PINs, and security questions
    2. A J2EE web application that allows users to authenticate, claim network IDs, and change their password and security questions.
    3. A web application framework that client applications use to communicate to the EAS service via the ESB.

EAS Benefits: 
  • Enterprise (University) wide login IDs and passwords. In other words, applications using EAS can authenticate users from Urbana, Chicago, and Springfield
  • Single sign-on for developed and vended applications
  • Lessens support requirements through consistent look and feel
  • Improved security through centralized session management and policy enforcement Reduced total cost of ownership with a single authoritative source for authentication and authorizations
  • Common repository for network ID assignments
  • Accentuates the process of maintaining network IDs by storing them in a single repository

Features of EAS provide for an efficient and effective means for securing access to on-line services. Customers can leverage the service to:

  • Generate and create network IDs
  • Create network ID assignments
  • Create enterprise and application sessions
  • Assign appropriate access to on-line resources
  • Query for Enterprise User information including permissions, properties and network ID assignments
  • Reset passwords and maintain security questions
  • Subscribe to network ID assignment updates

Hours of Availability

This service is available to customers 24/7, excluding planned outages, maintenance windows and unavoidable events. Maintenance windows are used only when needed for planned changes that have gone through the AITS Change Control Process. In addition to the standard AITS maintenance windows, site-specific and service-specific changes may be coordinated with customers at non-standard times.

Standard maintenance windows are defined as:

  •  6 a.m. to 12 p.m. each Sunday when application usage is at its lowest
  • After 5 p.m. every Tuesday and Thursday, unless business needs to make a change during business hours
  • The second Wednesday of the month from 5 p.m. to 8 p.m. for patching Microsoft servers
  • 6 a.m. to 6 p.m. three Sundays a year for routine Windows and Linux maintenance

Customer Responsibilities

  • Submit an appropriate work request or template to gain access to EAS
  • Deploy and learn the EAS service definition, messages, and APIs
  • Obtain access to the University’s ESB infrastructure
  • Develop and test applications that invoke EAS
  • Participate in EAS testing and maintenance events as needed

For access problems, questions, or comments, contact the AITS Help Desk at 217-333-3102 (Urbana/Springfield) or 312-996-4806 (Chicago). You can also e-mail the AITS Service Desk at servicedeskaits@uillinois.edu.

How Do We Charge?

This service is offered through the Work Request and ITPC Project request processes. For more information on requesting work or submitting a project, please see the ITPC Project Submissions page on the ITPC website. Currently, AITS does not charge for this service.