Overview
RPI provides SAML authentication services for on-campus and hosted applications. Integrating with our single sign-on environment allows for the use of the RCSID username and password, as well as support for MFA. For applications without built-in SAML support, we recommend using Shibboleth SP3, which integrates directly into Apache. We can also support other SAML libraries, but they need to be documented and scrutinized by the security team.
The application requesting authentication is referred to as the service provider, and RPI manages the Identity Provider.
Details
By default, only the RCSID will be released to the service provider. If any other attributes such as first/last name or email are required, they need to be included in the request. The list of
We require the use of encryption and signing for both requests and assertions. If it is known that this will not be supported by the service provider, a waiver can be requested.
General requirements to use Shibboleth are:
- HTTPS(>tls1.1) is required by the web server. Anything that is unable to meet this will be unable to load the page.
- The service provider must support SAML2.
- Encryption and signing are required. If not available, a waiver needs to be requested.
- The default NameID is set as Transient unless specified in the metadata. This sometimes causes issues, so if an alternative is needed please supply in request.
- Metadata should be accessible from a URL rather than a saved file.
- MFA with verified push is required and will be handled by Shibboleth.
- If the service provider is part of InCommon Federation we will use that
To begin integrating to shibboleth start with the web form. - https://webforms.rpi.edu/shibboleth-new-service-provider-request
References/Links
- Instructions for setting up Shibboleth SP3 are found - https://itssc.rpi.edu/hc/en-us/articles/22007796523661-Implementing-SSO-Authentication-with-Shibboleth-SP3-for-Apache
- Our metadata is located here, https://shib.auth.rpi.edu/idp/shibboleth and can be shared publicly.
- Attributes we currently support can be found here. - https://itssc.rpi.edu/hc/en-us/articles/4792596321677-Shibboleth-Attribute-List.
Comments
0 comments
Article is closed for comments.