These commonly asked questions will help web application owners determine whether Federated Identity Service authentication will work with, and is appropriate for, their web application.
Perhaps, however there are several considerations:
No, but it is recommended. Federation is built on a trust fabric, agreements, practices and language that all enable cooperation across organizational boundaries. If your application is provided through an InCommon federation agreement, then the operating policies and expected behaviors related to attribute data exchanges are already established.
If not, you must demonstrate a comparable agreement with the application provider to ensure university data is managed in accordance with all applicable policies and requirements. In some cases, application provider membership in InCommon may expedite the facilitation of Federated Identity Service Integration. We recommend any web application provider that wishes to use federated authentication be familiar with the InCommon Federation and its practices and participant expectations.
Please call the IT Service Center at 303-735-4357 (or 5-HELP from an on-campus phone) to request additional information.
You may request consideration by calling the IT Service Center at 303-735-4357 (or 5-HELP from an on-campus phone) or email@example.com.
Once you submit a request with the IT Service Center, you will be asked to complete the Federated Identity Service request/agreement form. For simple requests, it may be sufficient for you to complete the form. For more complex requests, as a next step, an OIT team member will reach out to you to further discuss your request to determine if Federated Identity Service is right for your web application.
The system and each service have pre-set timeouts, which aid in minimizing the exposure of forgotten Web browser sessions.
No. Once you have started a session in Federated Identity Service, you are logged in to all CU Boulder services that utilize Federated Identity Service to authenticate. Don't forget to log out once you are finished.
Please refer to the Federated Identity Service Service webpage.
Perhaps. Single-sign-on (SSO) is a native capability of Shibboleth and thus Federated Identity Service. It cannot be turned off or bypassed. Federated Identity Service is primarily a federation authentication service, not a SSO solution. As a result, SSO may be a beneficial feature for some federated authentication solutions, but it may also represent a less-than-optimal consequence to others. OIT can help a web application provider consider the consequences and alternatives of Federated Identity Service SSO.
Federated Identity Service provides an environment in which users can authenticate/log in one time with their respective CU Login Name and Identikey password to a central server in order to access multiple services protected with Federated Identity Service without needing to re-authenticate.
Your Digital ID card outlines the identifying information that is shared with the service(s) you are logging into to provide you access to that service. Due to a recent update of the Federated Identity Service, you may see your Digital ID Card and be prompted with release consent options. You have the option to provide consent for each login, or store consent and not be prompted again unless there is a change in the information. First-time users of a protective service will always be prompted for consent.