Thomas Jefferson University

Main menu:

Network Access Control

Network Authentication &
Authorization Initiatives

Authentication Is the process of verifying that a user, computer, or service (such as an application provided on a network server) is the entity that it claims to be. Authentication is an important part of identity management.

Authorization is the process of determining which actions an authenticated entity is authorized to perform. The tasks required to control authorization are also referred to as access management.

Authentication

Jefferson’s campus-wide authentication system is fed by several source applications, which provide end-user information to Jefferson’s lightweight directory access protocol (LDAP) server and is most visible to users as the campus key used to access most applications.

LDAP uses the campus key to provide a single campus-wide username and password combination (the LDAP/campus key solution prevents users from being assigned the same campus key.) Software developers and systems administrators creating accounts and IDs for new users are strongly encouraged to use the LDAP service, and avoid creating different IDs for users.

Campus web developers who want to use the campus key to authenticate users to their web-based applications should contact the Infrastructure Services Team.

Campus key and LDAP are authentication systems only. Campus keys are issued to a wide range of individuals, including faculty, staff, students, to list just a few.

Authentication Project:

Beginning in the summer of 2007, IS&T began implementing the Sun Microsystems LDAP application.  The SUN LDAP application replaced Jefferson’s previous LDAP application, which was based on open-source software.

Beginning in the spring of 2008, IS&T initiated an identity management project using The Sun Microsystems identity management application.  The new identity management application will enhance the user management capabilities of IS&T.

Information on the SUN LDAP: Sun Java System Directory Server Enterprise Server (Sun LDAP) delivers virtual directory capabilities to help integrate identity data from multiple sources as well as provide seamless integration with Active Directory via on-demand password synchronization between Windows and Sun's directory server environments. It also provides a solid foundation for identity management that serves as a central repository for storing and managing identity profiles, access privileges, and application and network resource information.
http://www.sun.com/software/products/directory_srvr_ee/general_faq.jsp

Information on the SUN Identity Manager: Sun Identity Manager allows IS&T to automate the process of creating, updating, and deleting user accounts across multiple IS&T systems. Collectively, this process is known as provisioning (e.g., creating, updating) and deprovisioning (e.g., deleting). For example, when a new employee joins the university or JUP, Identity Manager could automatically run a workflow retrieving the necessary approvals to grant the new employee access. Once these approvals are obtained, Identity Manager will automatically create user accounts allowing the new employee to do his or her job. This may include creating the user account for network access, email, pulse etc. If a Jefferson employee changes roles, Identity Manager could update the user account and provide access to the necessary resources required in that new role. When an employee leaves Jefferson, Identity Manager could automatically remove their user accounts to prevent access. By using Identity Manager, the entire provisioning and deprovisioning process could be automated in an industry standard way.
http://www.sun.com/software/products/identity/index.jsp

Authorization

Employee authorization is the process by which Jefferson delegates its authorized application access to one of its employees.

Many Jefferson applications have predefined authorization roles already established. When an employee requests access to an application, authorization to the Jefferson application is predicated on the job function of the requesting employee.

In order to delegate access to an application to an employee, the employee must already have authorized access. Visit Pulse and click on university policies for more information on obtaining authorization to Jefferson applications.