How to integrate SSO into a service

Single Sign On integrations can be a complex and difficult process. This guide is intended to make the process as painless as possible for everyone involved.

Single Sign On also has a lot of acronyms and terminology that can be confusing. A glossary of terminology is provided later in this document.

CAS vs. SAML

You will need to find out from the service provider if they support CAS or SAML. SAML is generally more common. These are the only SSO protocols we support. We do not support ADFS.

Integration steps (SAML)

1. Download the SAML SSO request form here: https://its.humboldt.edu/sites/default/files/docs/saml_sso_request_form.pdf

2. Give this form to the vendor you are working with and have them fill it out.

• At this point, if the vendor is unable to fill out the form or they have questions about the integration, please schedule a meeting with the service provider and the Cal Poly Humboldt sysadmin team. We can be reached at sysadmin@humboldt.edu.

3. Open a new help desk ticket called "SAML Integration for <the name of the service>" and attach the completed SAML SSO request form to the ticket.

4. It is difficult to say how long the integration will take. Generally, we expect it to be done within two weeks. There are rare occasions when a service provider is unwilling or unable to adhere to SAML standards, in which case we may not be able to proceed with the integration.

5. When the integration is ready to test, we will let you know. Sometimes it works perfectly the first time, but often it doesn't. Let us know if it isn't working the way it is supposed to, and we will try to resolve the problem.

Integration steps (CAS)

1. Open a help desk ticket called "CAS Integration for <the name of the service>". In this ticket, we just need the URL of the service in the ticket.

2. You will have to give the service provider some information about our CAS servers. Just copy the following text, and send it to the service provider.

CAS login URL (test) - https://cas-dev.humboldt.edu/cas/login

CAS logout URL (test) - https://cas-dev.humboldt.edu/cas/logout

CAS service validation URL (test) - https://cas-dev.humboldt.edu/cas/validate

CAS login URL (prod) - https://cas.humboldt.edu/cas/login

CAS logout URL (prod) - https://cas.humboldt.edu/cas/logout

CAS service validation URL (prod) - https://cas.humboldt.edu/cas/validate

3. Ask the SP if they require any additional attributes to be released and let us know what their answer is in the ticket. Usually, service providers that use CAS do not require additional attributes.

Glossary

ADFS

Active Directory Federation Services- This is a Microsoft specific SSO product. While ADFS supports SAML, it does not adhere to the RFC 2307 directory standard and is incompatible with many other SAML implementations.

Attribute

An attribute is a piece of information that is provided by the IdP to the SP. The most basic attribute is your login user ID (abc123). Other attributes can be provided- e-mail address, name, id number, affiliation, and a few others.

CAS

Central Authentication Service - A single sign on protocol that is generally easier to setup but is not as flexible as SAML.

entityID

This is the "name" of an IdP or SP. Usually this is in a URL format. For example, the Cal Poly IdP entityID is "https://sso.humboldt.edu/idp/metadata". As an added bonus, if you go to the link, it will provide the IdP metadata file.

IdP

Identity Provider - This provides the login page that is used to prove that you are actually you. The identity provider actually knows a little bit about you, like your name and e-mail address, and can relay that information to the SP if they support it.

Incommon

The Incommon Federation is a group that facilitates the use of various security related technologies among higher education institutions.

Metadata

Metadata is used with SAML SSO, but not CAS. SAML metadata is used by both the IdP and SP to establish that they are who they say they are. Incommon participants are allowed to make their metadata publicly available through Incommon- and metadata in Incommon is automatically trusted by all other participants.

SAML

Security Assertion Markup Language - This is the standard SSO protocol commonly used in higher education.

SSO

Single Sign On - A single login page that works for many different services. There are many different protocols for single sign on, but at Cal Poly Humboldt, we support CAS and SAML

SP

Service Provider - This is the website you want to log into and/or the people or company that provides it. Examples of service providers are Zoom, Canvas, and Adobe.