In order for an application to use WebAuth, the application server must first be registered with Information Technology. Providers take responsibility as the first point of network vulnerability and inform themselves about all precautions and protections that are necessary. In particular, WebAuth enabled application developers must adhere to University policies and WebAuth standards and implementation practices listed below:
- Providers must register their single sign-on service with Information Technology using this WebAuth V2.0 Registration site.
- Providers must deploy their web application via secure-http (https).
- Providers must use a form "POST" to weblogin.asu.edu for user authentication. Form data must not pass through any other servers.
- Single sign-off will be provided by the application to destroy the authentication credential.
- Providers must comply with the ASU Graphic Standards Manual available from the Web Advisory Group (WAG).
- Attempts to misrepresent an officially endorsed authentication site or it's components including icons, logos, or reverse engineering an official authentication mechanism for the purpose of creating an otherwise unofficial authentication service is strictly forbidden.
- The generic ASURITE login page is an excellent option for most service providers. You can view the current version of the page at https://weblogin.asu.edu/cgi-bin/login. It has a look and feel that is similar to the myASU login page, and is also similar to the centrally maintained credit card information page. This familiarity gives the customer a visual reassurance that they are in a secure environment. It also provides for a clear threshold of copyright violation if any parties outside ASU choose to emulate the sign-on page.
- Providers must adhere to ASU University policies. For related information about computer and electronic communications, see the Academic Affairs Manual-ACD 125, "Computer, Internet, and Electronic Communications".
- Passwords may not be requested by means other than ASU officially endorsed authentication mechanisms.
- User identification may not be used except for the official purpose of authentication and authorization.
WebAuth best practices are outlined in the WebAuth v2.0 Authentication service documentation. The document details the methods for a safe and secure WebAuth implementation.
