If you are purchasing a third-party application to integrate with CalNet for user authentication, please add the following language in any RFP documentation or other set of requirements you send to the vendor:
For access control, new campus enterprise systems must integrate with the University's CalNet system for identity and access management. Your application must use one of the supported authentication technologies listed below:
-
OpenID Connect (OIDC) SSO
-
PKCE (Proof Key for Code Exchange) is mandatory for all OAuth 2.0 implementations using Authorization Code Flow
-
Implicit Flow and Hybrid Flow are not supported
-
SAML 2.0 SSO federation
-
Systems should integrate with InCommon Federation using SAML 2.0, consuming metadata via the MDQ Service, supporting REFEDS MFA Profile for signaling authentication assurance, and implementing Baseline Expectations (BE2) requirements
-
In lieu of InCommon registration for SPs, services should publish their metadata to publicly accessible URLs and perform proper certificate rotation
-
Native Kerberos
-
Use AES encryption with minimum 128-bit keys
-
SPNEGO/Kerberos for browsers (HTTP Negotiate)
-
Discouraged over OIDC or SAML 2.0 (both of which include MFA)
-
Should not be used for public-facing web sites
-
Requires separate MFA integration
-
GSSAPI with Kerberos
-
Microsoft SSPI (Active Directory)
-
Kerberos SSP and Negotiate SSP recommended
-
NTLM SSP is deprecated and should not be used
-
Certificate-based authentication using Microsoft Server PKI (CalNetPKI). Simple (non-SASL) unencrypted LDAP binds for authentication with AD are prohibited.
- Describe how your solution would interface with this infrastructure.
For more information on CalNet authentication and authorization infrastructure, please review CalNet for Technologists