My service has an SSO/SAML configuration option. What do I do?
To setup SSO/SAML with your service, or change an existing service, you will need to submit a Service Request form via ServiceNow. Be sure to have all of the following information before submitting your request:
INFO About Your Service
- Provide a link to any documentation provided by the vendor.
- Determine what attributes they need from our IDP.
UID (urn:oid:0.9.2342.19200300.100.1.1) ?
SN (urn:oid:2.5.4.4), Givenname (urn:oid:2.5.4.42) ?
DisplayName (urn:oid:2.16.840.1.113730.3.1.241) ?
CalNetID (urn:oid:1.3.6.1.4.1.4995.2.200.10.1.5.4) friendly name is different (berkeleyEduKerberosPrincipalString) ?
Affiliations (urn:oid:1.3.6.1.4.1.5923.1.1.1.1) friendly name eduPersonAffiliation. Note: also available in scoped format. ?
Email Address (urn:oid:0.9.2342.19200300.100.1.3) ? - Will they need a NameID as part of the assertion?
- Determine what identifier the accounts on your server will use. The uid is immutable (doesn't change). Our EPPN (Edu Person Principal Name) is the person's scoped CalNetID, ex. joe_user@berkeley.edu. All of these possible account identifiers can be formatted as a NameID.
UID?
CalNetID?
Email Address?
EPPN? - Procure the metadata from the server (SP).
- Determine if you want to do the setup in our test IDP initially or go straight to prod?
- Determine your audience for the service (staff, faculty, students, all campus community).
- If you'll need to use the email address of the users of your service, we will need to request authorization from the appropriate source system (HR, SIS).
You'll need some information about our IDP.
INFO From IDP
- Our IDP metadata
Production IDP Metadata
Test IDP Metadata
Some services can use the metadata directly, but many will need several elements separated.
- IDP EntityID
Production - urn:mace:incommon:berkeley.edu
Test - https://shib-test.berkeley.edu/idp/shibboleth - Login URL (choose between)
Production: Binding = HTTP-Redirect, URL = https://shib.berkeley.edu/idp/profile/SAML2/Redirect/SSO
Production: Binding = HTTP-POST, URL = https://shib.berkeley.edu/idp/profile/SAML2/POST/SSO
Test: Binding = HTTP-Redirect, URL = https://shib-test.berkeley.edu/idp/profile/SAML2/Redirect/SSO
Test: Binding = HTTP-POST, URL = https://shib-test.berkeley.edu/idp/profile/SAML2/POST/SSO - Logout URL (can add ?service=The_URL_of_my_service) must be registered with auth.b.e
Production: URL = https://shib.berkeley.edu/idp/logout
Test: URL = https://shib-test.berkeley.edu/idp/logout