Centralised user authentication

Centralised user authentication allows the identification of users of the University’s network services and information systems in such a way that a user can use the same user account for logging in to all services included in the authentication service. In addition to logging in, the service also takes care of the administration of access rights to systems, i.e., who has access to the various parts of the system. The service also includes the necessary information security solutions.

Options used for authentication are Shibboleth/SAML2, LDAP and AD authentication.

SAML2 is the recommended option as it offers the best information security, among other things. If necessary, also users from other domestic and foreign users can be included in the SAML2 authentication if they are members of HAKA or a similar trust network.

LDAP authentication is also a possible option as it allows the transfer of several types of data concerning the user (such as membership in groups).

Direct AD authentication is only possible when none of the above options are suitable because of the technical properties of the system. It should be noted, however, that not everyone has the permissions required for this option.

Options for the administration of access rights include using the HERO system or groups.

The HERO system is used when it is necessary to restrict the access rights to certain persons. In the HERO system, access rights are applied for through a chain of approval (a person’s supervisor approves their request for access rights, for example), and the access rights expire at specified intervals.

Administration of access rights by means of groups is possible when you want to grant predefined group access rights to the system. Group membership information may be administered automatically based on information obtained from background systems (such as staff of a specific department), or the administrator of the group can perform administration tasks manually.