Authentication & Authorization

MSU Identifiers

MSU NetIDs are assigned to all current faculty, staff, students, and retirees. The NetID personal identifier is a unique alphanumeric identifier auto-generated from the user’s name and serves as the login to many university computing and networking services. MSU uses several services for identity management.

MSU Guest Account (formerly Community ID) grants limited access to web-based MSU services for users not affiliated with MSU directly. Users typically include members of the general public who sign up for non-credit courses, distance learners, and parents, guardians, and others invited by a student to access their information (such as MSU financial systems). Learn how to create a Guest Account or reset your Guest Account password.

Access Requests

It is possible to gain access to data from many of the business systems at MSU. Assistance is available to determine what data you need and the steps necessary to access it. Learn more about Access Requests and Access Request Memorandum forms.

Authentication Systems

Kerberos

MSU IT provides Kerberos as a central authentication service option. Kerberos provides the back end authentication piece for applications using Shibboleth. Kerberos may also be an option for those needing an authentication service if their application supports Kerberos out of the box.

Kerberos includes file-less configuration using DNS and account locking for invalid password attempts.

OAuth 2.0

OAuth 2.0 is a protocol enabling applications to authenticate users, as well as provide authorization to access certain details or attributes of the user, all without your application receiving the user’s password.

OAuth requires no client software to be installed for your application to use it and as a protocol it is programming language agnostic. Additionally, by using standard HTTP GET and POST requests, applications are not required to install any additional software to make use of it.

OAuth is available to all MSU developers, units, departments, and colleges.

OAuth is able to:

  • Authenticate both MSU NetID and Community ID authentication.
  • Obtain information about a user, such as name, email, MSU NetID, and UUID.
  • Offer an industry standard method of authentication that is clientless and is not proprietary to a specific programming language
  • Provide authentication that is commonly used in open-source applications.
  • Provide secure access to data shared at MSU or across institutions.

How OAuth 2.0 Works

  1. Your application redirects users to the MSU OAuth provider.
  2. The user provides their MSU NetID and password directly to the provider.
  3. The provider redirects the user back to your application with a temporary code.
  4. Your application uses the temporary code to request an authorization token from the provider.
  5. The provider returns an authorization token that represents the user’s authorization to access the information.
  6. Your application uses the authorization token to request the user’s information from the provider.

Setup details are available in the OAuth article.

Sentinel

Sentinel provides a secure, reliable web authentication service for web applications. Available in most web environments, Sentinel provides encrypted sign-on using MSU NetID and password information, as well as a Single Sign-On capability with other Sentinel applications.

Use of Sentinel is available to MSU units at no cost. Clients are provided a Sentinel installation kit and guide and assistance is provided during installation.

Sentinel can:

  • Provide customer-developed applications running on the client’s server with an encrypted sign-on that uses MSU NetID and password.
  • Grant application access to defined groups of well-known users as well as customized groups.
  • Provide authorized web applications with other identity information about logged-in users (e.g., APID, ZPID, UUID).
  • Provide single sign-on capability with other Sentinel applications.
  • Offer a customizable login page.
  • Provide two-factor authentication.

How Sentinel Works

The Sentinel software consists of the client part and server part. The client application directs the user to the Sentinel login page, where the Sentinel Server piece validates the user login, stores the identity of the user, and redirects the browser back to the Sentinel client software. The client software then validates that the user was authenticated, requests any identity data, stores session variables, and then redirects the browser to the web application.

Shibboleth

Shibboleth provides secure, federated authentication for systems or services needing to limit access to information. It is a standards-based, open source software package for web single sign-on across or within an MSU organization.

This software allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.

Shibboleth is able to:

  • Provide secure access to data shared at MSU or across institutions.
  • Integrate with Sentinel for broad Single Sign-On capability.
  • Limit access by certain attributes or identity characteristics.
  • Support both MSU NetID and Community ID authentication.

How Shibboleth Works

The Shibboleth software consists of two parts: Identity Provider (IdP) and Service Provider (SP).

When a user logs into an application, the SP sends that information to the user’s home IdP, which is authoritative for the user’s data. After the IdP authenticates the user, it sends any requested attributes (such as if the user is faculty or a student) back to the SP.

The SP analyzes those attributes against what is required and if the user has the proper credentials, they are able to access the application. Read setup instructions in the Setting up and Requesting the Shibboleth Service article.

Two-factor Authentication

Two-factor authentication pairs something an individual has (e.g., a security credential) with something they know (e.g., a password). If one of these two items is lost, stolen, or otherwise compromised, another person is unable to access your information. Two-factor authentication is a much stronger method over a user name and password alone. It provides added protection for both individuals and the MSU community.