SSO Integration
Allow your factulty and students to access Dewey through university single-sign-on
Introduction
Shibboleth is a common identity management solution many universities use to manage single sign-on (SSO) capabilities. Dewey uses Auth0 for user account management. These tools can be integrated using a simple SAML 2.0 integration.
Resource: Auth0 Documentation
Setting up this integration requires five steps:
- Step 1 and Step 3 are completed by the University
- Step 2 completed by the team at Dewey
- Step 4 and Step 5 are a join effort to finalize the connection
Step 1: Provide SAML 2.0 Information (University)
To get started, please provide Dewey with the following information:
- Sign In/Redirect URL (provided by IdP)
- X509 signing certificate (download from the IdP. The 509 signing certificate should be encoded in PEM or CER format.)
Dewey can also pull this information if you share an XML file provided by Shibboleth.
Additionally, please share a list of subdomain variations that may be used as email addresses for authenticated users:
- Ex.
@university.edu
,@school.university.edu
,@design.university.edu
Step 2: Auth0 Setup (Dewey)
Time estimate: 1 day
Once Dewey receives this info, we’ll create a connection in Auth0 to your IdP. This will enable any authenticated users to access the Dewey platform.
By default, any users who sign up or sign in with a university-provided domain will redirect to a university-hosted login page. Once they log in, they’ll be redirected back to the Dewey platform.
Step 3: Authenticate Dewey Application (University)
Dewey will provide you with an SP metadata URL that should include the required metadata, entityID and ACS endpoints so that you can register Dewey as a verified SSO partner.
Step 4: Ensure Correct Attributes are Being Released
Dewey needs the following attributes released in the IDP response:
- Email - required
- First Name - optional
- Last Name - optional
- Affiliation (Staff, Faculty, Alumni, etc.) - optional
- If affiliation cannot be released, Dewey will work with you to create a workflow to ensure that only active faculty, staff, and students are able to access the Dewey platform
Step 5: Update Mappings for Name and Email (Dewey)
At this point the integration is complete, Dewey just needs to ensure that when a user from the University goes through the login process, the response we get from Shibboleth maps to the correct fields to ensure a smooth sign up/sign in flow. The mapping that we have confirmed works is the following:
Troubleshooting
Send .HAR file to Dewey (University)
If there is an issue with the sign up flow and the end user is seeing an additional “sign up” page, or the system is saying there is already an account with their username, then there is an issue with the mappings. To troubleshoot this, Dewey needs to review the University’s IDP response so it can ensure the right fields are being mapped accordingly. To get the IDP response you must create a .HAR file using the following guides:
Additionally, here is a short video walkthrough of how to generate that file using chrome:
Once you have generated the file, send it to Dewey and we’ll let you know when it is time to test again.
Updated 1 day ago