Introduction and audience
PSU provides Single-Sign On (SSO) to authenticate and identify institutional users for web-based applications. The Shibboleth Identity Provider supports SAML and CAS protocols to provide this service. This document provides essential details required to configure an application to authenticate users with PSU’s SSO service.
While the “Steps to implement” section is guidance accessible to institutional administrative staff who might be evaluating or on-boarding a new application, this document is intended primarily as a reference for technical staff and, as such, includes terms and acronyms without further elaboration that said staff are assumed to be familiar with or that appear commonly on vendor’s intake forms.
Steps to implement
With the vendor’s support or documentation:
Determine if accounts can be provisioned upon login or accounts must be created beforehand.
Some vendors are able to automatically create accounts for any unknown user upon successful login, sometimes called “Just-In-Time” (JIT) provisioning, while other vendors require accounts to be created before users are able to login. For the latter case, arrangements need to be made outside of SSO, such as with an integration by IAM or Banner/Enterprise Solutions, manual account creation, etc.Determine if SAML or CAS will be used.
Some applications only offer one option. If there is a choice, SAML is recommended.Determine if attributes are needed in addition to the attributes released by default.
Complete the PSU Single Sign-On Application Request Form. Provide information to the vendor about PSU’s SSO configuration.
Contact OIT's Identity and Access Management (IAM) team for assistance with the vendor’s forms or questionnaires for implementing SSO.
From the vendor, we need either:The SAML metadata for the Service Provider.
Data required for us to create SAML metadata, viz.:
One or more URLs for Assertion Consumer Service endpoint.
Zero or more public keys/certificates for signing and encryption.
Configure a test instance.
We recommend using a test application instance using our stage environment to get the application working with the SSO testing environment. If possible, keep the test instance to validate future SSO changes before they are moved to production.If troubleshooting is called for, IAM might ask to point to our development environment. Unless your application provides three different environments, do not configure for this environment unless requested.
Note that only our production identity provider has metadata published through InCommon Federation; non-production instances will require manually importing metadata.Configure a production instance.
Use the production information below to configure a production instance of the application.
Information requested by vendors
Organization: Portland State University
Contact: IAM Team <oit-iamteam-group@pdx.edu>
Member of InCommon: Yes
Identity Provider (IdP): Shibboleth 4.0
SAML configuration
SAML version: 1.1, 2.0 (preferred)
SP-Initiated or IdP-Initiated: SP-Initiated (only)
Service Providers registered with InCommon usually require only PSU’s entity ID and no further configuration for PSU’s SSO.
Service Providers not registered with InCommon require either SAML metadata or URLs of protocol endpoints/bindings. In either case, PSU’s SSO requires explicit configuration with the metadata provided by the SP or by creating metadata from the SP’s protocol endpoints.
Production | |
|---|---|
Entity ID | https://sso.pdx.edu/idp/shibboleth |
Metadata | https://sso.pdx.edu/idp/shibboleth |
Login URL | https://sso.pdx.edu/idp/profile/SAML2/Redirect/SSO |
Logout URL | https://sso.pdx.edu/idp/profile/Logout |
Public Keys |
|
Stage | |
|---|---|
Entity ID | https://sso-stage.oit.pdx.edu/idp/shibboleth |
Metadata | https://sso-stage.oit.pdx.edu/idp/shibboleth |
Login URL | https://sso-stage.oit.pdx.edu/idp/profile/SAML2/Redirect/SSO |
Logout URL | https://sso-stage.oit.pdx.edu/idp/profile/Logout |
Public Keys |
|
Development | |
|---|---|
Entity ID | https://sso-dev.oit.pdx.edu/idp/shibboleth |
Metadata | https://sso-dev.oit.pdx.edu/idp/shibboleth |
Login URL | https://sso-dev.oit.pdx.edu/idp/profile/SAML2/Redirect/SSO |
Logout URL | https://sso-dev.oit.pdx.edu/idp/profile/Logout |
Public Keys |
|
CAS configuration
CAS protocol version: 2.0
Production | |
|---|---|
Server | sso.pdx.edu |
Port | 443 |
CAS URI | https://sso.pdx.edu/idp/profile/cas |
Logout | https://sso.pdx.edu/idp/profile/Logout |
CASLoginURL | https://sso.pdx.edu/idp/profile/cas/login |
CASValidateURL | https://sso.pdx.edu/idp/profile/cas/serviceValidate |
CASProxyValidateURL | https://sso.pdx.edu/idp/profile/cas/proxyValidate |
Stage | |
|---|---|
Server | sso-stage.oit.pdx.edu |
Port | 443 |
CAS URI | https://sso-stage.oit.pdx.edu/idp/profile/cas |
Logout | https://sso-stage.oit.pdx.edu/idp/profile/Logout |
CASLoginURL | https://sso-stage.oit.pdx.edu/idp/profile/cas/login |
CASValidateURL | https://sso-stage.oit.pdx.edu/idp/profile/cas/serviceValidate |
CASProxyValidateURL | https://sso-stage.oit.pdx.edu/idp/profile/cas/proxyValidate |
Development | |
|---|---|
Server | sso-dev.oit.pdx.edu |
Port | 443 |
CAS URI | https://sso-dev.oit.pdx.edu/idp/profile/cas |
Logout | https://sso-dev.oit.pdx.edu/idp/profile/Logout |
CASLoginURL | https://sso-dev.oit.pdx.edu/idp/profile/cas/login |
CASValidateURL | https://sso-dev.oit.pdx.edu/idp/profile/cas/serviceValidate |
CASProxyValidateURL | https://sso-dev.oit.pdx.edu/idp/profile/cas/proxyValidate |
Attributes
Attributes are user data that are released by Shibboleth to the application upon successful login. See the eduPerson standard for more detailed descriptions of most of these. For identifiers, see the Shibboleth concepts document NameIdentifiers and the SAML Subject Identifier specification, especially the “Problem Statement” section.
Friendly Name | SAML v2 Name | Description |
|---|---|---|
samlPairwiseID | urn:oasis:names:tc:SAML:attribute:pairwise-id | Privacy-preserving, persistent universally unique identifier. |
samlSubjectID | urn:oasis:names:tc:SAML:attribute:subject-id | Universally unique identifier. Same as “psuuuid” with an “@pdx.edu” scope. |
eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | Scoped uid, i.e., odin@pdx.edu |
psuuuid | urn:oid:1.3.6.1.4.1.34509.1.2.2.4 | Universally unique identifier |
uid | urn:oid:0.9.2342.19200300.100.1.1 | Odin username |
urn:oid:0.9.2342.19200300.100.1.3 | Email address | |
sn | urn:oid:2.5.4.4 | Last name |
givenName | urn:oid:2.5.4.42 | First name |
displayName | urn:oid:2.16.840.1.113730.3.1.241 | Full name |
eduPersonPrimaryAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.5 | Primary role |
eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | List of roles with domain scope, enables distinguishing co-admits and similar |
eduPersonAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.1 | List of roles |
eduPersonEntitlement | urn:oid:1.3.6.1.4.1.5923.1.1.1.7 | List of entitlements permitting access for a limited number of cases |
eduPersonDisplayPronouns | urn:oid:1.3.6.1.4.1.5923.1.1.1.18 | User-provided pronouns for display |
UDC_IDENTIFIER† | urn:oid:udc-identifier-oid | Banner identifier |
eduPersonUniqueId† | urn:oid:1.3.6.1.4.1.5923.1.1.1.13 | Student and employee ID, aka Banner 9-number, Spriden ID |
eduPersonTargetedId | urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | Universally unique identifier (note that we provide this as a simple string format, rather than the “NameID” format some vendors require) |
† Available upon request with suitable business case.
Logout
We consider it a best practice to perform logout by destroying application session cookies and then destroying the user's SSO session by forwarding them to the SSO logout endpoint. This prevents accidental re-authentication in your application with the remaining sso.pdx.edu session cookies.
We do not, however, support true single-logout due to it being technically infeasible. The logout URLs documented above end the user’s session with the Identity Provider but previously-authenticated sessions with applications remain valid.
Odin username changes
Odin usernames are occasionally renamed due to special circumstances. Administrators of SSO enabled applications should subscribe to the OIT account rename notification list if tracking username changes is necessary for your application.
Using one of the persistent, opaque attributes for an identifier, such as samlPairwiseID or samlSubjectID, and tracking uid changes like any other attribute is preferable to having to maintain usernames.
Test accounts
Often a vendor will request a test account for use in setting up SSO. We do not currently have test accounts in production, but departments can set up affiliate accounts for vendors. Learn more about affiliate accounts.
Frequently asked questions
What attribute should be the primary identifier to correlate logins with accounts within my application?
We suggest using psuuuid as the primary identifier, rather than uid (username) or mail. Both uid and mail can change — the former in the case of an account rename and the latter in the case of rename or the user requesting an alias.
We strongly recommend against using the mail attribute as it often is not “uid@pdx.edu” and can easily change due to the possibility of email aliases. Also, the domain for mail is different between production and non-production environments: @pdx.edu for production and @gtest.pdx.edu for stage. If the vendor or application insists on an attribute formatted like an email address, use the eduPersonPrincipalName.
How do I determine if a user is active?
To determine if a user is a current student or employee, use the eduPersonScopedAffiliation role.
All users with a standard Odin account will have “member@pdx.edu”, along with other affiliations like “student@pdx.edu” or “employee@pdx.edu”.
Provisional, limited lifetime and inactive users will not have “member@pdx.edu” among those roles; do not use the presence of “none@pdx.edu” as an indication that the user is inactive, as this is the result of a limitation of a part of our identity management systems and should not be relied upon.
Note that in order to access records via Banweb, all users have accounts for life and are able to authenticate via SSO. Furthermore, provisional accounts can be created by anyone with nothing more than an external email address – these are also able to authenticate via SSO. Validating active users is mandatory; do not assume that a user successfully authenticating with SSO means this is an active student or employee! The Identity Provider cannot restrict these accounts from your application.
What are the possible values for eduPersonAffiliation, eduPersonPrimaryAffiliation, eduPersonScopedAffiliaton?
These attributes use a controlled vocabulary from the eduPerson specification. Permissible values are faculty, student, staff, alum, member, affiliate, employee, library-walk-in. Read an explanation of what these values mean as part of the eduPersonAffiliation definition.
The scope of eduPersonScopedAffiliation attributes will usually be “@pdx.edu”. Due to programs such as co-admission with other local institutions, there may be values with other scopes, such as “student@ohsu.edu”; however, anyone eligible for student benefits at PSU will also have “student@pdx.edu”.
To distinguish between regular employees and student workers, however, use the single-valued eduPersonPrimaryAffiliation. Both cases will have eduPersonScopedAffiliation value “employee@pdx.edu” (and regular employees who are also part-time students will have “student@pdx.edu”); however, student workers will have eduPersonPrimaryAffiliation value of “student” and regular employees will have “faculty” or “staff”.