4.2.5 Authentication Process

The following management assertions cover the Authentication Process.


4.2.5.1 - Resist Replay Attack

The Shibboleth authentication system includes countermeasures such as cookies and time-based authenticators to prevent replay attacks, also the tickets issued are stored to insure one-time use and are not valid after they have been verified.


4.2.5.2 - Resist Eavesdropper Attack

The Shibboleth, CAS, and LDAP servers require secure communication between client and the login servers. Binds to the LDAP server must use SSL/TLS for secure communication.


4.2.5.3 - Secure Communication

Management asserts that all communication between the Subject and the IdP (shib.unl.edu/idm-l1.unl.edu & login.unl.edu) is over a secure communication channel using https with AES 128bit or greater encryption.

Screenshot of management asserts

4.2.5.4 - Proof of Possession

When authenticating, the user enters their username and password which is only known to them.


4.2.5.5 - Session Authentication

The Shibboleth IdP employs SSL encryption along with a secure cookie management strategy for session maintenance.


4.2.5.6 - Mitigate Risk of Credential Compromise

The Policy for Responsible Use of University Computers and Information Systems (Executive Memorandum No. 16) prohibits sharing passwords.

Included in the account claim email is the following text which is also published on the "protect your identity" web page http://its.unl.edu/protectyourself/

"Protect your passwords and do NOT share them with anyone. Sharing account information with people you know or through social engineering are the most common reasons for identity theft. The university will NEVER ask you for your passwords. If you fear an account may be compromised, change the password or contact the Help Center immediately. (Your university password can be reset at the password reset website https://trueyou.nebraska.edu/) ."

We also publish a page with recommendations on how to choose a strong password.