Authentication of an application

yes/jaStudents yes/jaEmployees yes/jaFaculties yes/jastud. Unions

The computing centre offers the authentication of applications via identity management and the connected directory services (Active Directory and OpenLDAP). Facilities that wish to restrict access to their own applications to certain groups of people can use the CIM authentication and authorisation options outlined below.

Authentication and authorization options

General authentication

  • Active Directory
  • OpenLDAP

 

Specific (service-based) authentication

  • Active Directory → service-specific group membership
  • OpenLDAP → service-specific structure
  • Eventhandling → Retrieve change events (Web service: XML, JSON)

 

Single-Sign-on (Shibboleth)

  • General about IDP → eduPersonAffiliation: 'member', 'student', 'employee'
  • Service bound (SSO services) → eduPersonEntitlement: <service-specific value>

 

General authentication

The simplest form is a general authentication via the directory services Active Directory or OpenLDAP.

Target group: For all those who want to provide an application with password protection non-specifically for all groups of persons at Kiel University (additional filtering is possible on the application side).

Functionality: Institutions can get administrative access to directory service resources on request, by which the connection of an application to a directory service can be realized.

Specific (service-based) authentication

Target group: For anyone who wants to grant a specific group of people access to a protected application.

Functionality: On the CIM side, a service is defined for the respective target systems (Active Directory, OpenLDAP or Eventhandling) and a filter rule for the group of persons authorized to use this service (e.g. all employees of an institution) is stored (consultation and application).

  • Active Directory: Specific groups of people are represented by group affiliations. Available are, for example, student groups according to faculty and study program, and employees of Kiel University according to institution.
  • OpenLDAP: Specific groups of people are represented in their own service-specific structures. You can also define which attributes are made available.
  • Eventhandling: For applications that cannot be connected via a directory service. Service-specific information (events) can be retrieved via web service queries to the CIM event handler. In other words, whether a new authorized person has been added, whether personal data has changed, or whether a person or authorization has been deleted.

 

Single-Sign-on (Shibboleth)

Shibboleth offers an important authentication option for the connection of web applications (see also Functionality Single Sign-on/Shibboleth). For this, the respective web application must be set up as a service provider, i.e. it must support Shibboleth.

General via CAU-Identitaetsprovider (IDP): A general authentication for all members of Kiel University, alternatively restricted to students or employees (attribute eduPersonAffiliation: 'member', 'student', 'employee')

Service-bound via a single sign-on service (SSO service): An SSO service can be defined for a specific group of persons, whose members in turn are defined by a stored filter rule (e.g. attribute eduPersonEntitlement: <service-specific value>).

Consultation and Application

The responsible service advisors are available for advice, especially on the question of which authentication option is most suitable in individual cases.

Before using a central directory service of the computing centre, a description of the procedure for using a central directory service of the computing centre (Form24) (in german) must be completed and approved.

Before using an identity provider of Kiel University (Single Sign-on/Shibboleth), a procedural description for the use of the identity provider of Kiel University by a service provider (Form25) (in german) must be completed and approved.

Contact: idmadmin@rz.uni-kiel.de

Responsible

This list of responsible service supervisor is generated automatically.