Skip to content Skip to main navigation Report an accessibility issue
Accounts & Access Management

Authentication and Authorization Protocols

OIT supports authentication and authorization using the NetID and NetID password via the following protocols:

  • Central Authentication Service (CAS)
  • Shibboleth
  • LDAP
  • Active Directory


CAS is a web-based single sign-on protocol which uses the statewide LDAP directory system as its authentication and authorization data base. After a successful authentication, CAS uses SAML to return authorization information such as affiliation (student, faculty) or identifiers such as the tnUniqueID that may be used by the application to determine whether the user should have access to the service and to match the user to existing accounts within the application.


Shibboleth is a single sign-on technology that supports both federated access to Internet-based services as well as access to local applications using the statewide LDAP directory as its authentication and authorization database. UT is a member of both the Incommon and the Edugain federations. Shibboleth provides the option of limiting access to an application based on defined authorization attributes such as affiliation or campus. It can also return authorization information to the application using SAML.


If an application cannot support CAS or Shibboleth, authentication using LDAP is available. Note that authorization options may be limited when using LDAP unless the application is written to retrieve authorization attributes at the time of authentication.

Active Directory

Active Directory is a Microsoft-developed directory service used by Windows servers, workstations and other devices. Active Directory has limited access to authorization information, but does provide user-manageable security groups for authorizing access to services.