RPI provides SAML authentication services for on campus and hosted applications. Integrating with our single sign environment allows for the use of the RCSID username and password, as well support for MFA.
The application requesting authentication is referred to as the service provider, and RPI manages the Identity Provider. By default only the RCSID will be released to the service provider, if any other attributes such as first/last name or email are required it needs to be included in the request. The list of attributes we currently support can be found here - https://itssc.rpi.edu/hc/en-us/articles/4792596321677-Shibboleth-Attribute-List.
We require the use of encryption and signing both requests and assertions. If it is know that this will not be supported by the service provider a waiver can be requested.
Our metadata is located here, https://shib.auth.rpi.edu/idp/shibboleth and can be shared publicly.
General requirements to use Shibboleth are:
- HTTPS(>tls1.1) is required by the web server. Anything that is unable to meet this will be unable to load the page.
- The service provider must support SAML2.
- Encryption and signing are required. If not available, a waiver needs to be requested.
- The default NameID is set as Transient unless specified in the metadata. This sometimes causes issues, so if an alternative is needed please supply in request.
- Metadata should be accessible from a URL rather than a saved file.
- MFA with verified push is required and will be handled by Shibboleth.
- If the service provider is part of InCommon Federation we will use that
To begin integrating to shibboleth start with the web form. - https://webforms.rpi.edu/shibboleth-new-service-provider-request