Moving to CMU Login (Entra ID)
Computing Services is transitioning the university’s Single Sign-On (SSO) infrastructure to Microsoft Entra, a modern identity platform that provides a more secure and seamless authentication experience. This shift is a key part of our broader strategic initiative to modernize the university’s login service and enable the future of digital access.
Why the Change?
A Better User Experience
- Unified Access: Use a single set of credentials to access everything from email and cloud storage to specific departmental applications.
- Consistent Interface: Experience an intuitive login experience on a laptop, tablet, or mobile device.
- Self-Service Capabilities: Empowers users with more autonomy over their account management and recovery options.
Enhanced Security & Oversight
- Improved Account Security: CMU Login (Entra ID) helps protect Andrew accounts through modern authentication methods, strong access controls, and support for passwordless sign-in experiences.
- Threat Detection: With CMU Login (Entra ID), the university can more effectively detect suspicious activity, respond to potential security threats, and help protect your institutional data and intellectual property.
- Duo Multi-Factor Authentication (MFA) Integration: CMU Login (Entra ID) works seamlessly with Duo MFA to provide an additional layer of verification, helping ensure that only authorized users can access university resources and sensitive information.
What This Means For You
We’ll help you migrate from CMU Login (Shibboleth) to CMU Login (Entra ID).- For Service Providers: Submit the CMU Login (Entra ID) request form to initiate the migration for your service and receive guidance on next steps and what to expect.
- For Users: Your Andrew userID and passwords remain the same, but you will experience a faster and more modern CMU Login experience.
Timeline
The migration is being executed in three high-level strategic phases. We are currently preparing to move into Phase 3.
- Phase 1: Net new SSO Service Provider registrations began using Entra (February 2026)
- Phase 2: Validation of existing SSO Service Providers and migration planning readiness (February – June 2026)
- Phase 3: Migration of existing SSO Service Providers to Entra (June – December 2026)
Frequently Asked Questions
For Students, Faculty & Staff
Why is CMU moving from Shibboleth to CMU Login (Entra ID)?
The transition provides a more modern authentication experience, improved security capabilities, stronger integration with cloud services, and a simplified sign-in experience across university applications.
Will my Andrew account change?
No. You will continue to use your existing Andrew account userID and password.
What applications will use CMU Login (Entra ID)?
Many university applications and services will be transitioned to CMU Login (Entra ID) over time.
Will I still use Duo Multi-Factor Authentication (MFA)?
Yes. Duo MFA will continue to be used to help protect university accounts and data.
Will the login screen look different?
Yes. You may notice a new sign-in experience powered by Microsoft Entra ID, but you will continue to sign in with your Andrew account.
Will I have to sign in more often?
In many cases, users will experience fewer sign-in prompts due to improved Single Sign-On (SSO) capabilities.
What should I do if I cannot sign in?
Contact the Computing Services Help Center at it-help@andrew.cmu.edu or your local IT support team for assistance.
Will this affect my email, Canvas, Zoom, or other university services?
Most users should experience little to no disruption. Service-specific communications will be provided when changes affect a particular application.
For Faculty & Staff Who Manage CMU Login Applications
What is changing for application owners?
Applications currently using Shibboleth for authentication will need to migrate to CMU Login (Entra ID) before Shibboleth is retired.
When must my application migrate?
Migration timelines and deadlines will be communicated by the Identity and Access Management services team.
Our application team is ready to migrate now. Do we have to wait?
No, please don’t wait! We welcome early adopters and are eager to work with teams who are ready to move sooner. Let us know you are ready by submitting the CMU Login (Entra ID) request form.
Is migration mandatory?
Applications that rely on university authentication services will need to transition to a supported authentication solution.
What authentication protocols does CMU Login (Entra ID) support?
CMU Login (Entra ID) supports modern authentication standards such as SAML 2.0 and OpenID Connect (OIDC).
Should I migrate to SAML or OpenID Connect?
OpenID Connect is generally recommended for new integrations when supported by the application. SAML may remain appropriate for certain existing applications.
Can CMU Login (Entra ID) provide the same user attributes currently supplied by Shibboleth?
In many cases, yes. The migration team can help determine attribute mappings and identify any required changes.
Will user identifiers change?
Most applications can continue using familiar identifiers, but application owners should review identifier and attribute requirements during migration planning.
Can CMU Login (Entra ID) support group-based authorization?
Yes. CMU Login (Entra ID) can provide group-based access control and role-based authorization capabilities for many applications.
How do I begin the migration process?
Submit a request through the CMU Login (Entra ID) request form. The Identity and Access Management team will reach out to you to begin the migration process.
Will there be testing environments available?
Yes. Application owners can test integrations in a non-production environment before moving to production.
What support is available during migration?
The Identity and Access Management team will provide consultation, documentation, testing assistance, and migration guidance.