Single Sign On

Single Sign On (SSO) is used at UC Berkeley to allow employees, students and affiliates to log in to multiple applications and services, using a single ID and passphrase.

To add or change a SSO integration, submit a Service Request via ServiceNow

We offer three types of SSO to campus technologists: OpenID Connect (OIDC), Central Authentication Server (CAS) and Security Assertion Markup Language (SAML). Click the links below to find out more about each protocol.

OIDC

OpenID Connect (OIDC) is a widely adopted standard for SSO.  If you want to integrate a third-party application with CalNet SSO then you will most likely use OIDC or SAML.  OIDC can also be used for campus-developed applications to provide SSO integration with CalNet ID and 2-Step (multifactor) authentication.  There are OIDC libraries available for most major application programming languages and frameworks.

CAS Protocol

CAS is generally used for campus-developed applications to provide SSO integration with CalNet ID and 2-Step (multifactor) authentication.  There are CAS integrations available for most major application programming languages and frameworks.

SAML Protocol

SAML is the widely adopted standard for SSO and federation.  If you want to integrate a third-party application with CalNet SSO then you will most likely use SAML.  For example, bMail, Box, and DocuSign are integrated with CalNet SSO using SAML.

Course Grained Authorization

If you want to restrict access to your service to specific campus populations, you can use course grained authorization to enforce authorization. Example: you can use standard affiliations such as STUDENT-TYPE-REGISTERED or EMPLOYEE-TYPE-STAFF to allow access to your service; you can also create an ad hoc authorization group.