Western WebLogin Service
What is Western WebLogin Service?
Western WebLogin Service provides central authentication for web-based services and applications. The Western WebLogin Service allows applications (service providers) to authenticate users using their Western credentials, without having to maintain their own password system.
Supported Authentication Protocols
- SAML2
- OAUTH2
- OpenID Connect (OIDC)
- CAS 2 and CAS 3 (Central Authentication Service)
How Do I Implement the Western WebLogin Service?
- First, submit a Technology Risk Assessment (TRA) for your application. Details about the TRA can be found at Information Security Technology Risk Assessment
- Determine if your application supports SAML, OIDC, OAUTH or CAS.
- Determine the attributes required by your application
- Upon completion of TRA, complete the WebLogin Authentication Request form in Jira Service Desk, to begin the process.
Additional Important Items
- Logging Out
- Western WebLogin stores information in the user's web browser, using a feature called cookies. Remind users to close the browser for a complete logout.
- Authentication vs Authorization
- Western WebLogin provides authentication services, determining if a user's credentials are valid.
- It is the responsibility of the application to perform authorization, determining if a user is allowed to use the application.
- Western WebLogin has the ability to send attributes (ie. username, role (staff, student, etc), Active Directory group membership) about a user to aid the application in authorization.
- 'Break Glass' Account
- It is recommended to have a 'break glass' account, an account that has access to the application without MFA in the event Identity Provider such as Azure, DUO is not available
- Outage Planning
- For application which also has MFA enabled, WTS recommends having a plan in the event of a Duo outage. In the event Duo is unavailable, we recommend having a plan whether or not MFA should be bypassed or not.
Published on and maintained in Cascade.
