Authentication

GuestIDs are stored in CornellAD and all supported methods, such as NTLM v.20 and Kerberos, can be used to authenticate against CornellAD.

Authorization

By default, a GuestID will not be in any groups (not even the default CornellAD groups) except for OIT-IDM-Guests-ls group. An OU administrator must explicitly grant permissions for guests on any resources.

Administrators can use the global guest group or create their own groups and add guests. Once the groups are defined, administrators can use these groups via CUWebAuth or any other predefined means to grant authorization to their resources.

CUWebAuth

CUWebAuth can authenticate users in multiple realms, including Guests. It supports configuration parameters to specify which realms are permitted to authenticate (at all), and further authorization can be performed based on which users from those realms will have access.

For technical details, see the CUWebAuth Confluence site.

CUWebLogin

CUWebLogin works with CUWebAuth to allow access to restricted web pages by presenting a secure web form that asks for a NetID or GuestID and associated password.