The University provides several online resources to you as a member of the UChicago community. In order to make logging into these resources safe, efficient, and consistent across the uchicago.edu domains, IT Services provides various methods of authentication. Authentication simply means that you have to prove your identity when you log in to an online resource such as a website or online application. UChicago uses the CNetID or UCMEDID (hospital account identifier) along with a password for authentication. This article provides information on all of the CNetID authentication methods, highlights some of distinct properties of each service, and directs you to where you can get onboarding support.
There are three different authentication services provided to IT groups and vendors who provide online services the University community: Okta, Shibboleth (now deprecated), LDAP, and Active Directory (AD). Each of these have a best case use. For example, vendors who provide external online applications to UChicago, must use Okta (single sign-on) for authentication. Additional information on these services is provided in the table below.
Note: Most resources that use CNetID authentication services accept the UCHADID for authentication, except services, such as cVPN, to which Hospital employees are not eligible. Individuals who have both a CNetID and a UCMEDID account must use their CNetID and not their UCMEDID for authentication to all University-side services.
| Authentication Service | Platform Support | Application Support | Single Sign-On | Attributes | Off Campus |
| Okta | Apache, IIS, application servers such as Tomcat, some grid technologies, commercial security suites such as RSA Federated Identity Manager | Web applications that rely on their application server or web server to provide authentication service | Yes, across web applications | Yes, enterprise attributes |
Yes, best option for vendor applications especially ASPs |
| LDAP | Apache, most application servers, most operating systems | Often available as an alternative to internal authentication | No | Yes, enterprise attributes | No |
| Active Directory (UCAD) | IIS, .NET | Windows integrated services | Yes, within UCAD | Yes, but application specific | No |
The Platform Support column lists popular platform technologies that can provide authentication services to the applications they host.
The Application Support column gives a hint about which types of applications can use the authentication service. Of course, you must always double-check in each particular case.
Single sign-on (SSO) means that once you have authenticated, you won't be asked to do it again when you access other applications in the uchicago.edu domain, unless that application has specifically set it up to do so. Those that are not SSO expose plaintext CNetID passwords to applications, raising concern about the operating practices surrounding the application. All else being equal, you should choose an SSO authentication service.
The Attributes column indicates if attributes about the user are available to the application in addition to a simple thumbs up or down for authentication.
The Off Campus column indicates whether the authentication service is available for use with applications hosted outside of the campus network.
Note: Web applications that rely on its web or application servers to provide authentication services are preferred over application forms-based authentication provided within the application. This is true because: 1) these applications can be integrated with an SSO authentication service, making it easier for users and more secure because plain text passwords are not exposed; and 2) separating authentication from the application allows IT Services to update its authentication services without any impact to the application.
If you're unsure of how or how well your application may integrate with any of these authentication services, please contact your local IT support team.