Authentication is the process of verifying who someone is. How you implement authentication depends on your user community and the technologies you use to deliver services to them. Although you can authenticate nearly anyone in the world—not only members of the UW community, but also users from other academic institutions and social networks—how you authenticate them depends on the technologies you choose to use.
Need help understanding how authentication fits into your service or how to authenticate users consistent with applicable policies? Contact us for assistance.
Resources on user authentication
The following resources describe more specific approaches to user authentication based on the kinds of users and technologies involved.
- Single sign-on with UW NetID
Single sign-on (SSO) with UW NetID enables members of the UW community to sign in with UW NetID to access thousands of web-based services. Custom-built applications, open source and vendor software, and software-as-a-service applications can integrate SSO with UW NetID using a variety of standards-based technologies: Shibboleth Service Provider software, Security Assertion Markup Language (SAML), and OpenID Connect (OIDC), as well as indirect integrations through the Canvas Learning Management System and cloud-based identity solutions based on Microsoft Azure Active Directory, Google Sign-In, Amazon Cognito, Auth0, etc., as well as cyberinfrastructure used in the research and education community such as CILogon, ORCID, and Globus.
- Microsoft Infrastructure (authentication integration)
Microsoft Infrastructure enable user authentication through several integration methods: domain/forest trusts, delegated OUs, Active Directory, and Azure Active Directory. Active Directory supports authentication with UW NetID for Windows servers, workstations, and lab computers using the “netid.washington.edu” domain. Azure Active Directory enables single sign-on with UW NetID for applications that rely on Microsoft sign-in.
Kerberos is used for authentication on Linux servers and other systems that rely on the Kerberos protocol. Two Kerberos realms support authentication with UW NetID—one based on MIT Kerberos (u.washington.edu) and one on Active Directory (netid.washington.edu). Customers often integrate with Kerberos using PAM (Pluggable Authentication Module) modules.
- Add 2FA to your IT system
IT system owners and their teams can add two-factor authentication (2FA) to their systems by integrating with UW-IT infrastructure for UW NetIDs and authentication. Customers primarily integrate 2FA through SSO (above), but limited support is available for direct integrations with departmental systems.
- Authenticate users from other academic institutions
InCommon and eduGAIN are federations that enable you to authenticate users from other universities without having to sponsor UW NetIDs for them. To enable safe, secure access between organizations and the trusted exchange of identity data, these federations establish technology standards and baseline expectations for participating organizations, including service providers that host and manage access to resources, institutions that authenticate members of their local communities (like the UW), and federation operators (like InCommon) and cyberinfrastructure (like CILogon) that connect participants and communities. Authenticating users from other academic institutions can be combined with SSO with UW NetID, and social login too.
- Authenticate users via social login
Social login through the UW Social to SAML Gateway enables authentication using social accounts (Google, Facebook, GitHub, etc.). Social login enables you to authenticate users outside the UW community without having to sponsor a UW NetID for them. Social login can be combined with SSO with UW NetID or other academic institutions. Instructions are provided for customers for configuring Shibboleth SP to use the UW Social Gateway.
- Authenticate users of native mobile applications (*)
Are you building or deploying a native mobile application, such as an iOS or Android application? Want to adopt emerging best current practices for integrating native mobile applications with user authentication and secure access to APIs? Contact us to discuss strategies for authenticating users of native mobile applications.
* included (without links) to encourage interested customers and early adopters to share and discuss their solution architectures.
Other options for user authentication
RADIUS authentication supports eduroam wireless network access and access to network devices. Support for customers outside of UW-IT is limited.