SSO Integration

Contents

• Background Information
• Supported SSO Methods
• Overall Process and Responsibilities
• Technical Requirements
• Functional Notes
• Attribute Release
• Contact Information

Background Information

Reclaim Hosting (RH) provides support for centralized NetID/password authentication and single sign-on (SSO) with the Domain of One’s Own environment. The Domain of One’s Own environment is characterized by a dedicated virtual server for the institution with Apache modules and/or PHP scripts to support the preferred authentication method (Shibboleth, CAS, LDAP).

Supported SSO Methods

Shibboleth

Authentication via Shibboleth is available with the Domain of One’s Own server acting as an SP (Service Provider) application. Reclaim Hosting is also a member of the InCommon Federation and can submit metadata for your Domain of One’s Own environment for inclusion.

CAS (Central Authentication Service)

CAS authentication is supported via the phpCAS framework. Institutions wishing to integrate with CAS will need to whitelist the URL to their Domain of One’s Own instance. Note: Attribute release via CAS must be supported or attributes will need to be provided via a separate LDAP connection)

LDAP/Active Directory

Reclaim Hosting can integrate via a standard LDAP connection using either a dedicated bind account or anonymous access depending on the policies of the institution.

Overall Process and Responsibilities

The overall process of integrating your campus SSO environment with Reclaim Hosting is as follows:

  1. Institution defines the preferred SSO method.
  2. Technical coordination call (as needed) to review integration details.
  3. Technical implementation of SSO

• Shibboleth – Exchange of necessary SAML metadata describing SP and IdP; Configure SP and IdP environments; test functionality.

• CAS – Whitelist environment URL; test functionality

• LDAP – Institution provides bind account for LDAP access; Configuration of environment; test functionality.

While each SSO integration is unique the institution should plan on a period of development and testing that can last between 1-4 weeks from information gathering stage up until final testing and deployment.

The institution is responsible for configuring the IdP/CAS/LDAP server adding all necessary metadata and the release of requested attributes to the service provider. Reclaim Hosting maintains responsibility of configuration of the virtual server environment for interfacing with the institution’s SSO environment. 

Technical Requirements

Shibboleth

• IdP entityID
• IdP Metadata

*Note: If utilizing InCommon this is provided automatically to Reclaim Hosting

CAS

• CAS Server URL and Port

LDAP

• Domain Controller(s)
• Port
• Base DN
• Account Suffix
• Bind Account (optional)
• Authorization Group (optional)

Functional Notes

A test account with limited access to authenticate with the service provider application is optional but highly recommended to be provided to Reclaim Hosting to aid in the testing and development of the SSO integration. If a test account cannot be provided Reclaim Hosting will rely on the institution for all testing and error reporting.

Attribute Release

The following attributes are necessary for proper function of the Domain of One’s Own environment:

  • A unique identifier (eppn or netid)
  • Email address (mail)
  • First Name (gn)
  • Last Name (sn)

Contact Information

Contact Reclaim Hosting support at support@reclaimhosting.com for any questions or concerns.

css.php