Suggestions for setting up services to use SSO.

TL;DR

• Use attributes samlPairwiseID or samlSubjectID to identify users.

• Entity ID should be a globally-addressable URL.

• SAML certificates should be self-signed with a 10 year expiration.

• Use attributes samlPairwiseID or samlSubjectID to identify users.

User Identifiers

Do not use the “NameID” section of SAML assertions to identify users. Instead, use either the attribute samlPairwiseID or the attribute samlSubjectID.

The samlPairwiseID is unique for every service provider but based on the persistent PSU UUID. Because it is unique for every service provider, it is more difficult to misuse if stolen or sold.

The samlSubjectID is the PSU UUID with the @pdx.edu domain appended.

Both of these identifiers can be used to positively and consistently identify users. The samlSubjectID can also be used to correlate users with records in other institutional systems. Reach out to the Banner Integration Team for assistance with this.

Neither of these identifiers are very user-friendly or familiar, however, so when displaying an identifier to the user, uid (username), or eduPersonPrincipalName (an email-like identifier) are better choices.

Refer also to “IAM Definitions: Identifiers”.

Entity ID

The entity ID of a Service Provider or Identity Provider is the global identifier for the service. The entity ID thus should reflect a name that is globally unique, so it should not include a hostname like “localhost”.

...

A URL used as an entity ID does not need to be a reachable destination. It is not uncommon, however, for the entityID to provide the entity’s metadata at the entityID URL.

Certificates

SAML uses X.509 certificates as a container for public and private keys. A Service Provider’s SAML certificates should not be the same as the certificate used for HTTPS for the application.

...

The subject and subjectAltName (lines 2 & 3) are not necessary for Shibboleth or SAML in general, but the information can be useful for management.

User Identifiers

Do not use the “NameID” section of SAML assertions to identify users. Instead, use either the attribute samlPairwiseID or the attribute samlSubjectID.

The samlPairwiseID is unique for every service provider but based on the persistent PSU UUID. Because it is unique for every service provider, it is more difficult to misuse if stolen or sold.

The samlSubjectID is the PSU UUID with the @pdx.edu domain appended.

Both of these identifiers can be used to positively and consistently identify users. The samlSubjectID can also be used to correlate users with records in other institutional systems. Reach out to the Banner Integration Team for assistance with this.

Neither of these identifiers are very user-friendly or familiar, however, so when displaying an identifier to the user, uid (username), or eduPersonPrincipalName (an email-like identifier) are better choices.

Refer also to “IAM Definitions: Identifiers”.

Acronyms & Abbreviations

• CAS - Central Authentication Service

• HTTPS - Hypertext Transfer Protocol Secure

• IdP - Identity Provider

• OIDC - OpenID Connect

• SAML - Security Assertion Markup Language

• SP - Service Provider

• SSO - Single Sign-On

• URI - Uniform Resource Identifier

• URL - Uniform Resource Location

• URN - Uniform Resource Name

• UUID - Universally Unique Identifier

• X.509 - Standard certificate format