Cornell’s authentication infrastructure is remarkably stable. Logins work and community members give little thought to how it works under the hood unless a password expires or is compromised.

Yet behind that simplified exterior, the Identity & Access Management Team has quietly accomplished a rare milestone: retiring decades of technical debt while simultaneously modernizing the university’s core authentication systems with little or no visible disruption. Cornell has now retired three legacy systems, migrated hundreds of applications, and strategically established a foundation for a modernized authentication future. In the six-year transition, few community members even felt the shift.

That’s intentional. It’s worth celebrating the unsung heroes in the Identity & Access Management Team who worked tirelessly to orchestrate very complex changes with no disruption.

Starting Points

“When I joined Cornell in 2019, I walked into a landscape supported by five or six different authentication methods—each one built for a different era, each with its own dependencies, its own quirks, and its own loyal following,” said Robert Edamala, Chief Information Security Officer.

Those methods included both Active Directory (AD) and Active Directory Federation Services (ADFS) as well as Azure Authentication, now known as Entra ID. Prior to the adoption of the Microsoft solutions, Cornell had used MIT Kerberos as a back-end password store, and created a local solution (CUWebAuth with its accompanying SideCar) for web single sign-on (SSO), and then had later adopted Shibboleth as a more standards-based solution for both intra- and inter-institution web SSO logins. 

Decades of history and overlapping layers of solutions had resulted in a tangled environment with technical debt on a trajectory guaranteed to stifle our ability to modernize authentication and to uniformly and quickly implement protections such as two-factor authentication or to adopt phishing-resistant technologies such as passkeys.

Retiring a Legend: CUWebAuth

CUWebAuth was the first legacy system slated for retirement. A Cornell original, it was one of the few web authentication implementations at the time. Its first iteration was redesigned and re-implemented around 2006 and that version continued running for almost two decades.

But by 2020, this type of functionality was available in a variety of standard technologies and protocols, and it no longer made a lot of sense to maintain an additional in-house solution.

The Identity & Access Management Team began the painstaking work of migrating several hundred applications to CUWebLogin (Shibboleth). Although CUWebAuth’s retirement was announced in 2021, two more years were required as previously unidentified apps and dependencies were discovered. As quietly as the work began, it concluded. There was no broad celebration when CUWebAuth was finally decommissioned around 2023.

“We probably should have marked the moment,” Edamala said. “That system served Cornell for years. Shutting it down quietly was both the right thing to do and emotionally harder than anyone realized.”

Closing the Kerberos Era

Kerberos was also broadly used as a Cornell authentication service, originally set up in the 1990s on two servers named Mutt and Jeff. When the final Kerberos decommissioning was completed in 2025, the retired system had served the institution for over 30 years, supported more than 630,000 authentication principals, and provided Single Sign-On (SSO) verification for over 8,000 web services—apparently without any major security or availability incidents, and with minimal operational overhead.

Kerberos had also supported CUWebAuth, the launch of NetIDs, and Linux authentication for research systems. Turning it off was the end of an era.

Farewell to Active Directory Federation Services (ADFS)

Cornell is currently in the process of decommissioning Active Directory Federation Services (ADFS), an on-premise Microsoft authentication layer supporting access to Microsoft 365 and other compatible services.

As Cornell continues its shift to a cloud-first strategy, university systems that rely on Microsoft authentication will transition to the Azure cloud identity platform, now called Entra ID.

ADFS is the third authentication method to be decommissioned as the Identity & Access Management Team reduces the university's technical debt in this area. Like CUWebAuth and Kerberos before it, the ADFS retirement is happening quietly.

Working Under the Radar—and Why That Matters

Retiring half of Cornell's authentication systems in just six years required a tremendous amount of work and collaboration by both CIT and divisional IT support teams.

During the 2020-2023 CUWebAuth retirement, department IT administrators migrated their unit’s community members to Security Assertion Markup Language (SAML). At least one unit then migrated to Active Directory from Kerberos to complete that retirement.

Although most Cornell community members are unaware of the transitions, the teams supporting these systems recognized how the three solutions had reliably served the university for decades, making it difficult to cut them loose.

Edamala said, “Despite the cultural challenge of letting go, the overall change management on these critical systems has been done with such finesse that no one really understood or appreciated the amazing technical feat and hard work involved. Other than ordinary grumbles, there was not a single complaint. We practiced the Prosci ADKAR change management model and didn't know it.”

Cornell’s remaining solutions, CUWeblogin and Entra, will remain the primary authentication methods until they are replaced by a single One Cornell system.

Retiring three long-term authentication methods without any major disruptions to the campus was celebrated as quietly as the work had been completed.

The measure of the transformation’s success was silence.