RPI provides SAML authentication to applications and services. This allows applications to our RCSID and participation in our single sign-on (SSO). The application requesting authentication is known as the service provider and will be referred to as such. RPI operates the identity provider, Shibboleth. RPI is part of the InCommon federation. If the service provider is also part of this federation, we will facilitate through it.
Only the RCSID is default released to the service provider, but we can release other common attributes on request. The list of attributes we generally support can be found here - https://itssc.rpi.edu/hc/en-us/articles/4792596321677-Shibboleth-Attribute-List. We require our service providers to support encryption and signing. A waiver can be requested if the application cannot support this. Our metadata is located here, https://shib.auth.rpi.edu/idp/shibboleth
Requirements to use Shibboleth are:
- HTTPS(>tls1.1) is required.
- The service provider must support SAML2.
- Encryption and signing are required. If not available, a waiver needs to be requested.
- The default NameID is set as transient. If an alternative is needed please supply in request.
- Metadata should be URL based
- MFA is required
- If the service provider is part of InCommon Federation we will use that
- Requests will be summited through web form. The request URL is - https://webforms.rpi.edu/shibboleth-new-service-provider-request
Article is closed for comments.