EPPN Authorization Gives Non-Emory people access to Emory's Applications

September 21, 2011

A new service has recently been put into production on the Emory OIT Enterprise Service Bus (ESB) that provides a way to authorize access by non-Emory people to Emory-created applications. Such applications use the Emory Login Service powered by Shibboleth, which allows people in participating organizations outside Emory to login to Emory applications at their home organization using the login ID and password they usually use there.

The application receives the identity of the user in a form called the EduPersonPrincipalName (EPPN) that typically contains the login ID and identification of the organization separated by an @-sign. For example, a researcher with login id jdoe at Georgia Institute of Technology would have an EPPN of jdoe@gatech.edu.

By using an authorization service for access control in all new applications and web services, this approach frees developers from having to create access control lists (ACL) for every application. With an authorization service, there can be just one place to store the ACLs and one application to manage them.

The EPPN Authorization Service is currently in production use by an application called RAPID that was developed by Emory's Research & Health Sciences IT (R&HS IT) and the Atlanta Clinical & Translational Science Institute (ACTSI). It is expected that additional applications will need to be developed to authorize people outside of Emory and will use Shibboleth and the EPPN Authorization Service. In addition, OIT Architecture has a number of web services in development that will use this service.

For additional information on this or any other Emory OIT service, please contact the
University Service Desk at 404-727-7777, Monday - Friday 7 am - 6 pm.