| Table of Contents |
|---|
...
While the “Steps to implement” section is guidance accessible to institutional administrative staff who might be evaluating or on-boarding a new application, this document is intended primarily as a reference for technical staff and, as such, includes terms and acronyms without further elaboration that said staff are assumed to be familiar with or that appear commonly on vendor’s intake forms.
Steps to implement
With the vendor’s support or documentation:
Determine if accounts can be provisioned upon login or accounts must be created beforehand.
Some vendors are able to automatically create accounts for any unknown user upon successful login, sometimes called “Just-In-Time” (JIT) provisioning, while other vendors require accounts to be created before users are able to login. For the latter case, arrangements need to be made outside of SSO, such as with an integration by IAM or Banner/Enterprise Solutions, manual account creation, etc.Determine if SAML or CAS will be used.
Some applications only offer one option. If there is a choice, SAML is recommended.Determine if attributes are needed in addition to the attributes released by default.
Complete the PSU Single Sign-On Application Request Form. Provide information to the vendor about PSU’s SSO configuration.
Contact OIT's Identity and Access Management (IAM) team for assistance with the vendor’s forms or questionnaires for implementing SSO.Configure a test instance.
We recommend using a test application instance using our stage environment to get the application working with the SSO testing environment. If possible, keep the test instance to validate future SSO changes before they are moved to production.If troubleshooting is called for, IAM might ask to point to our development environment. Unless your application provides three different environments, do not configure for this environment unless requested.
Note that only our production identity provider has metadata published through InCommon Federation; non-production instances will require manually importing metadata.Configure a production instance.
Use the production information below to configure a production instance of the application.
Information requested by vendors
Organization: Portland State University
Contact: IAM Team <oit-iamteam-group@pdx.edu>
Member of InCommon: Yes
Identity Provider (IdP): Shibboleth 4.0
...
Service Providers not registered with InCommon require either SAML metadata or URLs of protocol endpoints/bindings. In either case, PSU’s SSO requires explicit configuration with the metadata provided by the SP or by creating metadata from the SP’s protocol endpoints.
Production | |
|---|---|
Entity ID | https://sso.pdx.edu/idp/shibboleth |
Metadata | https://sso.pdx.edu/idp/shibboleth |
Login URL | https://sso.pdx.edu/idp/profile/SAML2/Redirect/SSO |
Logout URL | https://sso.pdx.edu/idp/profile/Logout |
Stage | |
|---|---|
Entity ID | https://sso-stage.oit.pdx.edu/idp/shibboleth |
Metadata | https://sso-stage.oit.pdx.edu/idp/shibboleth |
Login URL | https://sso-stage.oit.pdx.edu/idp/profile/SAML2/Redirect/SSO |
Logout URL | https://sso-stage.oit.pdx.edu/idp/profile/Logout |
Development | |
|---|---|
Entity ID | https://sso-dev.oit.pdx.edu/idp/shibboleth |
Metadata | https://sso-dev.oit.pdx.edu/idp/shibboleth |
Login URL | https://sso-dev.oit.pdx.edu/idp/profile/SAML2/Redirect/SSO |
Logout URL | https://sso-dev.oit.pdx.edu/idp/profile/Logout |
CAS configuration
CAS protocol version: 2.0
Production | |
|---|---|
Server | sso.pdx.edu |
Port | 443 |
CAS URI | https://sso.pdx.edu/idp/profile/cas |
Logout | https://sso.pdx.edu/idp/profile/Logout |
CASLoginURL | https://sso.pdx.edu/idp/profile/cas/login |
CASValidateURL | https://sso.pdx.edu/idp/profile/cas/serviceValidate |
CASProxyValidateURL | https://sso.pdx.edu/idp/profile/cas/proxyValidate |
Stage | |
|---|---|
Server | sso-stage.oit.pdx.edu |
Port | 443 |
CAS URI | https://sso-stage.oit.pdx.edu/idp/profile/cas |
Logout | https://sso-stage.oit.pdx.edu/idp/profile/Logout |
CASLoginURL | https://sso-stage.oit.pdx.edu/idp/profile/cas/login |
CASValidateURL | https://sso-stage.oit.pdx.edu/idp/profile/cas/serviceValidate |
CASProxyValidateURL | https://sso-stage.oit.pdx.edu/idp/profile/cas/proxyValidate |
Development | |
|---|---|
Server | sso-dev.oit.pdx.edu |
Port | 443 |
CAS URI | https://sso-dev.oit.pdx.edu/idp/profile/cas |
Logout | https://sso-dev.oit.pdx.edu/idp/profile/Logout |
CASLoginURL | https://sso-dev.oit.pdx.edu/idp/profile/cas/login |
CASValidateURL | https://sso-dev.oit.pdx.edu/idp/profile/cas/serviceValidate |
CASProxyValidateURL | https://sso-dev.oit.pdx.edu/idp/profile/cas/proxyValidate |
...
Odin usernames are occasionally renamed due to special circumstances. Administrators of SSO enabled applications should subscribe to the OIT account rename notification list.
This will allow you to handle account renames in your application if necessary.
...
Often a vendor will request a test account for use in setting up SSO. We do not currently have test accounts in production, but departments can set up affiliate accounts for vendors. Learn more about affiliate accounts.
Frequently asked questions
...
We strongly recommend against using the mail attribute as it often is not “uid@pdx.edu” and can easily change due to the possibility of email aliases. Also, the domain for mail is different between production and non-production environments: @pdx.edu for production and @gtest.pdx.edu for stage. If the vendor or application insists on an attribute formatted like an email address, use the eduPersonPrincipalName.
...
These attributes use a controlled vocabulary from the eduPerson specification. Permissible values are faculty, student, staff, alum, member, affiliate, employee, library-walk-in. Read an explanation of what these values mean as part of the eduPersonAffiliation definition.