SSL certificates for web servers, services, and clients.
Certificate Services allow to you to obtain X.509 certificates that may be installed on servers or clients to provide authentication and encryption. SSL certificates installed on servers allow clients to verify the identity of the server and for the server and client to establish a secure communication channel using SSL/TLS. Client certificates enable computers and processes to connect to Web services, directories, and other services that require client certificate authentication.
Certificate Services options include:
InCommon Certificate Authority (InCommon CA) - Provides commercial-grade SSL server certificates trusted by all modern browsers. Certificates are available for all subdomains of *.washington.edu and *.uw.edu. Other DNS domains owned by UW departments may be added to the service upon request.
UW Services Certificate Authority (UW CA) - Provides SSL server certificates and client certificates. SSL server certificates issued by the UW CA are not trusted by default in any browsers. Client certificates issued by the UW CA are required for authentication to many UW Web services and directories.
Verify the identity of a person, computer, or application
Authentication allows you to establish the identity and authenticity of a person, computer, or application. Authentication often involves verifying something the user knows (e.g., a UW NetID and password) or something the user has (e.g., a security token or private key).
UW Information Technology supports several enterprise authentication services to help you enable secure access to Web sites, online information, desktop computers, walk-in labs, and other resources, while adhering to UW information security policies.
Authentication service options include:
Kerberos - Provides UW NetID authentication using the Kerberos network authentication system; also known as the "u.washington.edu" Kerberos realm.
Web Authentication Services- Provides UW NetID authentication and single sign-on (SSO) to participating Web sites; provides a trusted Web site (weblogin.washington.edu) for entering and verification of user credentials; supports "federation" via InCommon and SAML protocols; software options include Pubcookie and Shibboleth (preferred) for Apache and Microsoft IIS Web servers.
Token Authentication Service- Provides multi-factor authentication using Entrust tokens as a 2nd authentication factor for access to more sensitive UW applications.
UW Windows Infrastructure - Provides an Active Directory forest for Kerberos and NTLM authentication for all UW NetIDs; also known as the "netid.washington.edu" Kerberos realm.
The UW Windows Infrastructure (UWWI) is a set of infrastructure capabilities enabling Microsoft technologies. In many cases, the infrastructure capabilities meet business needs regardless of the client platform or technology.
NETID Domain service. Provides Active Directory Domain Services with integrated UW NetIDs and Groups service groups.
Domain trusts. UW organizations with an existing domain can request a one-way incoming trust to leverage the authentication, authorization, and directory services provided.
Delegated OUs. UW organizations can manage and join their computers to the NETID domain service. They retain autonomy and avoid the cost of running their own Windows domain.
Name resolution services.
Netbios name resolution via WINS. Available to anyone on campus.
Dynamic DNS (DDNS) zone services. Available to Delegated OU customers only. No reverse DNS capability.
Microsoft license activation. Provides Microsoft product activation service via a Microsoft Key Management Server (KMS) tied to the campus agreement.
LDAP based authentication, authorization, and directory services for application integration (this capability is available, but in containment)
Federated authentication. ADFS provides logon tokens for Microsoft centric applications that can cross enterprises boundaries. We run this capability in partnership with the Authentication service.
Azure Active Directory. This component provides multiple capabilities based on emerging technologies and has likely changed in signficant ways since we wrote this. Among the capabilities are:
OpenID/OAuth2/SAML/WS-Federation based authentication
SaaS application portal with tightly integrated authentication
The services entitled Authentication, Access Management, Directory Services, UW NetID, and Campus DNS all have overlapping capabilities with this service. In some cases, there is tight integration with those other infrastructure services.
UW faculty, UW staff, UW students, Anyone with a UW NetID
<p>2/25/13: Removed <font color="#000000">UW Windows Forest option from Service Options section as it </font><font color="#000000">being removed as an available option for customers.</font> See RT 1781829 for full details.</p>
<p>07/01/14: Updated as per Brian's RT ticket (2266496) for annual service catalog audit -MM</p>
Access well-managed identity information based on UW NetIDs
Enterprise Directory Services (EDS) offer high-availability, read-only access to well-managed identity information based on UW NetIDs. These services provide user profile information, via standard protocols, including basic identification, group memberships, and affiliation data compiled from UW systems of record (e.g., HEPPS, SDB, Advance, Person Registry).
Enterprise Directory Services options include:
UWWI Active Directory - Provides LDAP directory services including user accounts for all UW NetIDs and group data from the UW Groups service; part of UW Windows Infrastructure (UWWI), this service is particularly relevant to customers seeking integration with the Windows platform.
Person Directory Service - Provides LDAP access to common UW identifiers and affiliation data for all UW members and affiliates; additional contact data is available for employees, students, and alumni; data is searchable by official UW identifiers (e.g. UW NetID, UW Registry ID, Student ID, Employee ID).
Groups Directory Service - Provides LDAP access to group data managed in the UW Groups service.
Manage groups, authorizations, and access to resources and applications
Access management allows you to manage, control, and audit access to online data, resources, and applications. It involves managing privileges, group memberships, and service subscriptions. Access management allows you to manage risk and to comply with governing policies. In some cases you can also delegate management authority to others.
UW Information Technology supports enterprise access management through:
ASTRA (Access to Systems Tools Resources and Applications)
UW Groups service
UW Subscriptions (Uniform Access) service
Access management service options include:
ASTRA - Provides enterprise authority management and privilege management services; UW 'delegators' and 'authorizers' use the ASTRA Web site to manage the authority and assign authorizations; consuming applications use the ASTRA Web service to obtain the authorizations assigned to a specific user (UW NetID) or application.
UW Groups service - Provides enterprise group management for access control, collaboration, and messaging; it supports groups usage throughout the UW by making it easier to identify, define, and reuse groups in many systems and applications; group memberships comprise UW NetIDs, federated IDs, DNS names, as well as other UW Group IDs.
UW Subscriptions (Uniform Access) service - Provides access to many central UW computing services such as UW Email, Web Publishing, Odegaard Learning Commons, UW Libraries off-campus proxy; enables provisioning and de-provisioning of access based on UW NetIDs and university affiliations (e.g., student, employee, alumni); supports UW NetID service activation and deactivation of services.