UTORauth was created with the intent of centralizing much of the identification information around campus and providing a middleware layer for applications to make use of the information. There are three main services:
Identification (Who are you?)
At the heart of UTORauth is the idea that each person with a relationship to UofT should have a single unique identifier regardless of their affiliations as staff, faculty, students, etc. Although each of the varied sectors of the UofT has their own “unique” identifier — be it student number, employee number, or whatever — intercommunication between computer systems is almost entirely prohibited by the lack of a central standard.
UTORauth collects data from authoritative sources around campus including ROSI, HRIS, the Library, and a number of additional sources, referred to as “others“. Records from all these systems are carefully compared with each other to create a mapping of which persons appear in what systems (or multiple times in a single system!) Then, each person is issued a UTID: a 10 digit unique identification number that will be the basis for communication between information systems. Under this UTID, all the roles that the person assumes on campus are gathered.
This UTID is not known by the person like the student number or barcode is; instead it is used purely for communication between computer systems on campus. Once the person has been assigned a UTID, UTORauth uses it as the basis for generation of other UofT identifiers such as the UTORid and library barcode.
Authentication (How do we know that?)
Once a person’s identity has been firmly established under the UTID, that person needs a method of proving to a computer system (for example, the PAF) that they are who they claim to be. Authentication to UTORauth is done via the UTORid, which is UofT’s primary network identifier.
The UTORauth authentication system is based on Kerberos, a stable and reliable authentication technology out of MIT (1988). This technology utilizes strong cryptography to make sure that passwords remain a secret even on an insecure network. The Kerberos credentials are based on a principal login ID (the UTORid) and a corresponding password. Since many services require authentication through a web browser, Weblogin has been made available as the standard web authentication application for UofT.
Authorization (What would you like to do?)
Otherwise known as UTORable, the authorization part of UTORauth provides a central directory of information about UofT persons. This directory will be queried by services. Once an end-user has authenticated themselves to a service and that service believes that they are who they say they are, the service asks UTORable what qualifications the user has at the university; is she a student, a staff member, etc? Given that information the service can then make an intelligent decision on what rights the user has on their system.
The UTORable directory (which is implemented with LDAP) is available only to registered services, and access levels are granted on the basis of the service’s requirements. The same data is also available in a more complete form through a batch (FTP/SSH) process.