Carnegie Mellon University

Moving to CMU Login (Entra ID)

Computing Services is transitioning the university’s Single Sign-On (SSO) infrastructure to Microsoft Entra, a modern identity platform that provides a more secure and seamless authentication experience. This shift is a key part of our broader strategic initiative to modernize the university’s login service and enable the future of digital access.

Why the Change?

A Better User Experience

  • Unified Access: Use a single set of credentials to access everything from email and cloud storage to specific departmental applications.
  • Consistent Interface: Experience an intuitive login experience on a laptop, tablet, or mobile device.
  • Self-Service Capabilities: Empowers users with more autonomy over their account management and recovery options.

Enhanced Security & Oversight

  • Improved Account Security: CMU Login (Entra ID) helps protect Andrew accounts through modern authentication methods, strong access controls, and support for passwordless sign-in experiences.
  • Threat Detection: With CMU Login (Entra ID), the university can more effectively detect suspicious activity, respond to potential security threats, and help protect your institutional data and intellectual property.
  • Duo Multi-Factor Authentication (MFA) Integration: CMU Login (Entra ID) works seamlessly with Duo MFA to provide an additional layer of verification, helping ensure that only authorized users can access university resources and sensitive information.

What This Means For You

We’ll help you migrate from CMU Login (Shibboleth) to CMU Login (Entra ID).

  • For Service Providers: Submit the CMU Login (Entra ID) request form to initiate the migration for your service and receive guidance on next steps and what to expect.
  • For Users: Your Andrew userID and passwords remain the same, but you will experience a faster and more modern CMU Login experience.

Timeline

The migration is being executed in three high-level strategic phases. We are currently preparing to move into Phase 3.

  • Phase 1: Net new SSO Service Provider registrations began using Entra (February 2026)
  • Phase 2: Validation of existing SSO Service Providers and migration planning readiness (February – June 2026)
  • Phase 3: Migration of existing SSO Service Providers to Entra (June – December 2026)

Frequently Asked Questions

For Students, Faculty & Staff

The transition provides a more modern authentication experience, improved security capabilities, stronger integration with cloud services, and a simplified sign-in experience across university applications.
No. You will continue to use your existing Andrew account userID and password.
Many university applications and services will be transitioned to CMU Login (Entra ID) over time.
Yes. Duo MFA will continue to be used to help protect university accounts and data.
Yes. You may notice a new sign-in experience powered by Microsoft Entra ID, but you will continue to sign in with your Andrew account.
In many cases, users will experience fewer sign-in prompts due to improved Single Sign-On (SSO) capabilities.
Contact the Computing Services Help Center at it-help@andrew.cmu.edu or your local IT support team for assistance.
Most users should experience little to no disruption. Service-specific communications will be provided when changes affect a particular application.

For Faculty & Staff Who Manage CMU Login Applications

Applications currently using Shibboleth for authentication will need to migrate to CMU Login (Entra ID) before Shibboleth is retired.
Migration timelines and deadlines will be communicated by the Identity and Access Management services team.
No, please don’t wait! We welcome early adopters and are eager to work with teams who are ready to move sooner. Let us know you are ready by submitting the CMU Login (Entra ID) request form.
Applications that rely on university authentication services will need to transition to a supported authentication solution.
CMU Login (Entra ID) supports modern authentication standards such as SAML 2.0 and OpenID Connect (OIDC).
OpenID Connect is generally recommended for new integrations when supported by the application. SAML may remain appropriate for certain existing applications.
In many cases, yes. The migration team can help determine attribute mappings and identify any required changes.
Most applications can continue using familiar identifiers, but application owners should review identifier and attribute requirements during migration planning.
Yes. CMU Login (Entra ID) can provide group-based access control and role-based authorization capabilities for many applications.
Submit a request through the CMU Login (Entra ID) request form. The Identity and Access Management team will reach out to you to begin the migration process.
Yes. Application owners can test integrations in a non-production environment before moving to production.
The Identity and Access Management team will provide consultation, documentation, testing assistance, and migration guidance.