Skip to McMaster Navigation Skip to Site Navigation Skip to main content
McMaster logo

Office of the AVP & CTO

INFORMATION TECHNOLOGY SECURITY

Legacy Methods No Longer Supported (McAuth/LDAP)

McMaster University has started using SAML (Azure) and Oauth2/OIDC for web authentication in order to leverage modern security features such as multi-factor authentication or MFA. However, the legacy methods known as McAuth and LDAP are still maintained for authentication at the organization. A project to phase out these old methods is underway and the expected outcome is to fully replace these by modern authentication methods . Owners of applications that continue using the legacy methods should begin preparations to move to one of the available modern methods in the near future. For campus servers and applications, migrating to a modern authentication method will involve the adoption of a specific applicable method to suit the needs and environment of the application and in some cases, some programmatic effort. If you manage IT resources related to authentication, you will be able to find information and links to technical documentation on this FAQ page.

McAuth

McAuth is a symmetric, in-house developed system originally conceived to provide simple authentication and authorization via PHP or Java. No new integrations using this method are encouraged nor allowed. Applications or websites that use McAuth for authentication/authorization should start making preparations to move to one of the modern authentication methods available. Please read through this FAQ for information on conducting this migration.

LDAP

Authentication via LDAP to the Active Directory environment is still possible but application or device owners should strongly consider moving to modern authentication to reduce risk and be able to use the more advanced protection features available. Public facing applications, devices or hosts are prime candidates to make the recommended switch. For more information about this, please read through this FAQ or contact the IT security team at “c-it-security@mcmaster.ca”.

Which websites and applications need to move to Modern Authentication?

University Technology Services will start contacting application owners around February 2022. If you administer a site that uses either McAuth or LDAP, you do not need to take any steps until UTS contacts you for planning.

How can I tell whether my website or application uses McAuth or LDAP?

Open a private browser window, then open your website or application in that window. Click on the link that allows for MacID login. A URL redirection to the authentication server should occur and the login screen should appear. Your site uses McAuth if the URL “https://cap.mcmaster.ca/mcauth/” appears in the browser’s address bar during authentication. For applications using LDAP, The browser will not display the address of the server allowing the authentication. This setting is hidden in the code and confirmation with a developer, application owner or device owner should provide confirmation on the method used.

How do I switch from legacy to modern authentication on my website or application?

All the authentication related web pages/scripts have to be disconnected from the old method and the integration components have to be removed or disabled. For information and instructions on how to adopt any of the modern authentication methods, see the resources here.

What happens if I am unable to migrate my website or application to modern authentication?

Unless you request a deadline extension, your website or application will be required to migrate within a reasonable amount of time. This applies primarily to applications using the legacy methods based on either McAuth or LDAP. For instructions on how to request an extension, see “What should I do if I can’t move my website or application to modern auth?” below.

How can I get help with the migration to modern authentication?

Review the resources for adoption of modern authentication here, join the Legacy Auth Migration Project, or submit a help request to get help from the IT Security team.

Are there any specific action items for McAuth migration?

  1. 1 Notify the IT-Security team of your intention to proceed with a migration of your application.
  2. Take inventory of the application(s) in your environment currently using McAuth
  3. Obtain the following information for each application: application name, URL, business/application owner, technical contact.
  4. Provide a list of the attributes/claims used by the application.
  5. Ask to be included in the Legacy Auth Migration Project.

What should I do if I can not move my website or application to modern authentication?

First, decide whether your website or application needs to continue using authentication. If it does not, then take steps to remove/disconnect from either McAuth or LDAP. If your website or application does need to continue using authentication but you cannot migrate to modern authentication due to unforeseen reasons, deadline extensions are available on a case-by-case basis. During the extension time you will be required to look for alternatives in your application that allow for compatibility to one of the available modern methods. Submit a help request to discuss an extension with the IT-Security team. In the request, include the following information:

  • Application owner contact information
  • local technical support contact information
  • URL of your website or application
  • Extension date that you want