User Authentication and Authorization via Web Single Sign-On


The Online Passport service is offered by Northwestern Information Technology (IT) to departments and schools who wish to restrict access to their websites or web-based applications. Authenticated protection can include an entire website or individual portions. Some URLs can be publicly open, while others can require membership in specific NetID groups. Access can also be limited to a group of NetIDs such as faculty, undergraduate students, or particular school students. Once authenticated through the Online Passport service, the user is not challenged for NetID/password when visiting other participating websites.


The AM system is comprised of the AM server and the AM Policy Agent.

  • The AM server. A pool of four servers across the Evanston and Chicago campuses that store URL policy information (who is permitted to access what) and provide the user interface for logging in.
  • The AM Policy Agent. This is a module that is loaded into your web or application server. The agent is responsible for intercepting all URL requests, determining whether the URLs are protected, verifying that the user has successfully authenticated, and enforcing any relevant access policies.

Single Sign-on process:

  1. A user requests a URL in the browser.
  2. The AM Policy Agent on the Web server intercepts the request and checks for the presence of the SSO (Single Sign-on) cookie.
  3. If the cookie is not present, the user is redirected to the AM server and asked to login.
  4. Upon successful login, the user is redirected back to the original URL.
  5. The Policy Agent again intercepts the request, verifies that the cookie is present and valid, optionally checks access control policies (see below), then passes the request on to the web server.

Access Control:

  1. Online Passport can restrict access to your web site (or portions thereof) to standard NetID groups. For example, access to "" might be allowed for any valid NetID, while "" might be restricted to Northwestern faculty.
  2. The authenticated user's NetID is provided to your web applications as an HTTP REMOTE_USER environment variable, so you can make fine-grained access control decisions, and/or use the NetID as a unique session identifier.


In order to use Online Passport SSO, you will need to formally request access for your application (NetID required). Please visit the Authentication and Authorization Services to request access. 

A special username and password will be issued to your application for use in contacting the Access Manager server to retrieve policy information and other configuration data. We will also retain contact information in order to inform you of upgrades, configuration changes, server maintenance, and other outages.



Article ID: 1912
Fri 7/29/22 8:22 AM
Wed 4/19/23 2:43 PM

Related Services / Offerings

Related Services / Offerings (2)

Northwestern offers many ways to help your IT system authenticate or authorize users. This includes Active Directory, LDAP, Single Sign-On (SSO), Multi-Factor Authentication (MFA), Shibboleth, SAML, and others.
Directory services help provide people and systems with the ability to look up information about people based on various criteria from things as simple as their name to their Northwestern school affiliation, degree programs, etc. Directory Services include the Northwestern online directory, the ADS Active Directory forest, the LDAP directory, and various others.