Understanding UCLA Single Sign-On (SSO)

UCLA Single Sign-On (SSO) is a system that allows users to access multiple UCLA applications and services with one set of login credentials. This improves the user experience by reducing the need to remember multiple usernames and passwords. It also enhances security by providing a centralized authentication system.

The Essence of UCLA Extension

UCLA Extension is an academic division of UCLA, one of the ten campuses of the University of California. It is a teaching arm of the University, although its role as a leader in professional and continuing education is also widely viewed as an expression of UC's public service mission. It offers approximately 4,500 courses and programs each year, addressing the needs for professional advancement, career transition, practical skills training and the personal development of the individual student; and addresses the high-level training needs of various arts, service and manufacturing industries important to the local economy.

Principles of Governance

UCLA Extension’s Principles of Governance ensure its compatibility with campus services. The Extension Registrar publishes an internal academic and administrative calendar at least two years and as many as four years into the future that fully reconciles to the institutional calendar. This harmonizes with UCLA's allocation and use of resource such as classroom space and parking services.

Nondiscrimination Policy

The University of California, in accordance with applicable Federal and State law and University policy, does not discriminate on the basis of race, color, national origin, religion, sex, gender identity, pregnancy, physical or mental disability, medical condition, ancestry, marital status, age, sexual orientation, citizenship, or service in the uniformed services. The University also prohibits sexual harassment.

UCLA Logon ID: Your Key to Campus Electronic Services

Students, faculty, staff, and guests may be assigned a UCLA Logon ID by the Campus Credential Provider, Information Technology Services. The UCLA Logon ID and associated password serve to electronically identify an individual, enabling access to campus electronic services or resources that are restricted to that individual or to the UCLA community. The purpose of this policy is to establish Security Standards for the UCLA Logon ID and assign responsibility to both users and Service Providers for the proper use and safeguarding of UCLA Logon IDs. The standards serve to protect members of the UCLA community, the University’s electronic resources and electronic resources beyond the campus that accept UCLA Logon IDs for Authentication. Any individual assigned a UCLA Logon ID by the Campus Credential Provider becomes the Holder of the UCLA Logon ID and the associated password. A UCLA Login ID whose password becomes known to someone other than the assigned Holder or other authorized person will be considered compromised.

Shibboleth: A Standards-Based Federated Authentication Protocol

Shibboleth is the standard federated authentication and attribute query service protocol in higher education. Shibboleth has strong support from the Internet2. It has been adopted by many institutions throughout the world as their web single sign-on service of choice. UCLA operates a fully functioning Shibboleth Identity Provider parallel to the current ISIS interface, and the two are integrated.

Why Shibboleth?

ISIS is a home grown system with a proprietary API and is only used within UCLA. Shibboleth, on the other hand, is used at a significant number of institutions. More significantly, Shibboleth enables members of one institution to use his/her credential to log in to services at another institution. Internet2 provides standard “client” (called Service Provider) modules for Apache and IIS. These SP modules handle all communications between your server and the Shibboleth Identity Provider. Any information returned is presented to your application in the HTTP headers, so all your application needs to be able to do is to read HTTP headers. ISIS can only provide a fixed set of user attributes.

Shibboleth vs. ISIS: Which is Better?

Generally speaking, if you are launching a new application, it is recommended to seriously consider using Shibboleth. Eventually, the current ISIS API will be phased out in favor of Shibboleth. Besides, while there is significant set up (at least for the first time), there is far less coding involved on your part. To use ISIS, you need to write code to call the ISIS Web Service.

Authorization with Shibboleth

At least for web applications, authorization data will come through the Shibboleth attribute response packets. As a user logs into your application and runs through the shibboleth authentication sequence, the shibboleth SP module eventually fires attribute requests against the IdP. Shibboleth attributes returned to your application are presented as name/value pairs in the HTTP header. You simply read the headers and parse out the data you are looking for. Note that attributes can contain multiple values.

Duo Desktop: Enhancing Security for Protected Applications

UCLA Duo Desktop is a lightweight application for your computer that performs a security Health Check on your device. This lightweight tool will assess your device's security posture to ensure your system meets UCLA's security requirements (e.g., UCLA-approved anti-virus: Trellix) before you can access protected applications. Duo Desktop is part of the UCOP May 28, 2025, mandate.

Read also: Navigating Tech Breadth at UCLA

Applications Requiring Duo Desktop

UCLA is adopting a risk-based approach to enforcement with the Duo Desktop agent. Duo Desktop will validate that Trellix is installed when accessing high-risk applications that store, process, or transmit the most sensitive data (Level 4) as defined by UC Policy. This includes applications that deal with financial data, human resources and personnel information, student data, and/or critical IT applications.

The following applications will require Duo Desktop:

BruinCard Doors
BruinBuy Plus
ChatGPT
DocuSign*
GitHub Enterprise
iCIMS
JDXpert
Laserfiche Forms
Office 365 (EM)**
Opus
Post-Authorization Notice (PAN)
ODMPSAWeb
Salesforce (DTS)

*Signing DocuSign envelopes will not require authentication via Duo Desktop + Trellix

**Office 365 refers to the UCLA Enterprise Messaging instance only and includes all online Microsoft productivity apps including Outlook, OneDrive, etc.

How Duo Desktop Works

Duo Desktop is a lightweight agent that helps control access to institutional applications when devices do not meet certain security requirements. The agent checks the security posture of the connecting system to determine if requirements such as antivirus, disk encryption, etc. In compliance with the UC Information Security Investment Plan announced by UCOP in February 2024, all systems (including personal devices) that connect to university applications must have the UC-approved endpoint detection and response (EDR) software, Trellix Endpoint Security, installed. Local administrator rights on the endpoint are required to complete the installation.

Read also: Understanding UCLA Counselors

When accessing Duo Desktop-protected applications, you are presented with self-installation of the client. If Duo Desktop is not installed by 5/28/25, the next time a user attempts to access a UCLA application that is now being enforced by Duo Desktop, the login process will automatically redirect them to instructions on how to download and install the agent. Duo Desktop runs in the background with a small footprint. The Duo Desktop agent does not collect any personally identifiable information (PII), file data, or information that can be used to determine browsing history or other personal information. Duo Desktop includes an auto-update option during installation, which is enabled by default. In such cases, users will need to contact their local IT support team to assist with installation.

Duo MFA verifies your identity with a second factor (e.g., push notification), while Duo Desktop verifies device's security posture.

Duo Desktop FAQs

Will Duo Desktop be required for all UCLA applications? No. Only a curated list of high-risk applications containing Protection Level 3 or 4 data will be protected initially.
Will I be postured before login if I have a local login to any of these applications? No, if you have a local login to any of these applications you will not be postured before login.
Will UCLA applications already behind SSO need to be reconfigured to support Duo Desktop? No, UCLA applications already behind SSO will not need to be reconfigured to support Duo Desktop.
Does each protected application have its own Duo Desktop policy? Yes. Each protected application has its own Duo Desktop policy.
Is there a grace period for installing Duo Desktop and Trellix? There is no grace period. If your device does not meet posture requirements (e.g., Duo Desktop not installed or Trellix not detected), access to protected applications will be blocked at login. Users needing urgent access outside of regular support hours can contact the IT Support Center.
What health checks does the Duo Desktop Agent UI display? The Duo Desktop Agent UI will by default display health checks for operating system (OS) patch level, system password, disk encryption, and firewall status. This display is not customizable, and are not part of the enforcement check to access high-risk UCLA applications. The only compliance check that will be enforced will be whether Trellix HX, the only UC-approved EDR product, is installed.
Are tablets required to run Duo Desktop? Only Windows-based tablets will be required to run Duo Desktop.
Do I need to meet the Duo Desktop and Trellix requirements on every device I use? Yes. Each device you use to access protected applications must meet the Duo Desktop and Trellix requirements.
How often is a posture check performed? A posture check is performed every time you authenticate into a protected application.

UCLA Extension Course Information

UCLA Extension offers a wide variety of courses, including lower-division courses (numbered 1-99) and upper-division courses (numbered 100-199). The prefix "M" is used for courses which are multiple-listed among departments or units.

Types of Courses

Fiat Lux Freshman Seminars (19): Limited to 20 students, taught by faculty in their areas of scholarship, and graded P/NP.
Sophomore Seminars (88): Limited to a maximum of 20 lower-division students, readings and discussions designed to introduce students to current research in the discipline, and graded P/NP or Letter grading.
Honors Seminars (89): Limited to 20 students, adjunct to a lower-division lecture course, explores topics in greater depth, and graded Letter grading.
Honors Contracts (89HC): Individual study with instructor of a lower-division lecture course to explore topics in greater depth, and graded Letter grading.
Variable Topics (97, 191): Topics vary by instructor, and grading is department option.
Professional School Seminars (98): Limited to 20 students, taught by professional school faculty, designed to introduce students to the nature of professional work, and graded P/NP or Letter grading.
Collegium of University Teaching Fellows (98T): Taught by advanced graduate students in their field of specialization, one-time-only offerings, introduces students to a cutting edge of a discipline, and graded Letter grading.
Student Research Program (99): Entry-level research for lower-division students under guidance of a faculty mentor, and graded P/NP.
Special Studies (188): Departmentally sponsored experimental or temporary courses, approved for one term or one year only, and grading is department option.
Advanced Honors Seminars (189): Designed as adjunct to a lower- or upper-division lecture course, explores topics in greater depth, and graded Letter grading.
Research Colloquia (190): Designed to bring students doing supervised tutorial research together in a seminar setting, and graded P/NP only.
Honors Seminars (191H): Honors research seminars on selected topics, and grading is department option.
Undergraduate Teaching Practicum (192): Training and supervised practicum for advanced undergraduates in teaching courses, and grading is P/NP or letter grade.
Journal Club Seminars (193): Limited to undergraduates, and graded P/NP only.
Research Group or Internship Seminars (194): Designed for undergraduates who are part of a research group or internship, and graded P/NP only.
Community or Corporate Internship (195): Internship in a supervised setting in a community agency or business, and grading P/NP or Letter grading.
Research Apprenticeship (196): Entry-level research apprenticeship for upper-division students under guidance of a faculty mentor, and graded P/NP.
Individual Studies (197): Individual tutorials between a faculty member and a student, and grading is P/NP or Letter grading.
Honors Research (198): Limited to juniors/seniors, and graded Letter grading.
Directed Research or Senior Project (199): Research under the guidance of a faculty mentor, and graded P/NP or Letter grade.
Teaching Apprentice Practicum (375): Teaching apprenticeship under active guidance and supervision of a regular faculty member.
Methods in Teaching (495): Courses prepare students for practical college-level teaching experience and are designed to provide professional development.
Cooperative Program (501): Designed for registered UCLA students to take approved courses at nearby institutions (primarily USC) for credit.

Course Subtitles

Some courses such as variable topics are set up so that sections of the course have their own titles known as subtitles. If a section subtitle is to be displayed on the transcript, the section is assigned a subtitle code and a 19-character abbreviation for that section. The 19-character abbreviation then replaces the generic course title and abbreviation. In cases where the department does not want the section subtitle displayed on the transcript, the section subtitle is entered into a textual note field. The subtitle is not given a 19-character abbreviation and does not display on the transcript.

Unit Value

Unit value is the workload credit given for a course. Senate Regulation 760 provides that credit be reckoned at the rate of one unit per three hours of work per week, per term, or the equivalent. Units for a course are usually fixed. Most courses are four or five units. Certain courses have variable units such as "two to eight units" or alternate units such as "two or four or eight."

Grading Basis

Undergraduate courses have various grading options. Specific reasons for In Progress grading must be given in the justification section.

Course Format

Clinic (CLI): A group meeting devoted to the analysis and solution of concrete problems or to the acquiring of specific skills or knowledge.
Discussion (DIS): A subsection of a course focusing on topics presented in the main section of the course (usually a lecture).
Fieldwork (FLD): Work done in the field to gain practical hands-on experience and knowledge through firsthand observation.
Seminar (SEM): Students meet with an instructor in a small classroom setting to exchange ideas through discussion, research papers, and reports.
Tutorial (TUT): Students are supervised by an instructor on a one-on-one basis to pursue an agreed upon individual course of study.

Multiple Listings

Courses jointly offered by two or more departments are designated as "multiple listings" and are identified by the prefix "M." All elements of the course except the course numbers (e.g., title, format, unit value) must be identical for all sponsoring units.

Concurrently Scheduled Courses

Concurrently scheduled courses are pairs of courses, within a single department or program, which are offered at the same time and place, with the same instructor, but for which credit is given at two levels-graduate and undergraduate. No student, by merely performing additional work, may receive upper-division credit for a lower-division course or graduate credit for an undergraduate course. It is expected that the amount of activity and level of performance required of a graduate student enrolled in a concurrently scheduled course exceeds that of an undergraduate. For concurrently scheduled courses, suitably separate activities and standards for performance and evaluation must be applied for graduates and undergraduates. Courses in which both regular and University Extension students are enrolled and in which resident students receive degree and grade-point credit are defined as concurrent courses. The Extension course and the regular course are the same-taught by the same instructor, at the same time, in the same place, at the same.

SAF and Study Abroad at UCLA

SAF program includes a safe transfer from your arrival airport to your new study abroad housing. Your new university and SAF will arrange social and cultural events so that you can meet other study abroad and local students. Take the first step in your study abroad journey by scheduling a consultation with your closest Student Counselor. You can discuss your for-credit academic courses and language programs and explore internships, research programs, and study tours.

UCLA Academic Program is a part of UCLA Extension, a department of the school which offers its own course catalog in a wide variety of subjects. You will be considered an Extension student and are able to select and enroll in Extension courses prior to your arrival. In addition to Extension courses, students in the UCLA Academic Program are allowed to enroll in main-campus UCLA undergraduate courses to study alongside degree-seeking UCLA students through a process of concurrent enrollment. As an Extension student, however, your spot in main-campus courses is not guaranteed, and a course will only be available to you if there are seats available at the end of the course-crashing process.

Security and Emergency Action Plan

UCLA Extension is integrated into the emergency planning for the entire University community. The Deans Office undertakes an annual review of this policy and complete the business continuity planning coordinated by the Office of the President. UCLA Extension's information security policy ensures that its critical operations, assets and customers are properly protected. Due to the increasing value of the data we collect, store and process, we are committed to its protection, the enforcement of applicable regulatory guidelines and routine assessment of security risks.

tags: #UCLA #single #sign #on #explained