Versions Compared

Old Version 185

changes.mady.by.user mhodges

Saved on

compared with

New Version 186

changes.mady.by.user mhodges

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

Table of Contents

Table of Contents
excludeTable of Contents

UH Login Integration Request Form

Requests for integrating your application with UH Login (CAS or Shibboleth) are now available via a single Kuali Build form.

Use this link to make a request:

...

 <Request an integration>

Integrations include CAS URL registrations and Shibboleth Identity Provider service metadata sharing.

Authentication and Data Governance Information

...

The cloud service provider you are working with will need to work the IAM team to integrate their application with our UH Login Service. UH uses the Shibboleth IdP to provide this service.

  • If you are utilizing a 3rd-party service provider, the release of attributes to this 3rd party requires UH Data Governance Process approval. See below for more information.

  • A Data Governance Process approval is not required if the Service Provider is a member of Internet2 or the InCommon Federation. The services offered by these Providers are already covered by UH contracts and agreements.

  • This should minimally include the source of SAML metadata for the SP[*]; required/requested attributes; and any other requirements, such as a specific SAML NameID format

  • If the SP is a member of the the InCommon Federation, metadata should be available through their aggregate metadata.

UH credentials and the UH Login service are used for UH applications as well as for select 3rd-party, cloud-based applications. To request integration to a new 3rd-party, there are two components to the request:

  1. a Data Governance approval request, and

  2. a 3rd-party integration request.

Data Governance Request

The UH Data Governance component is required because the integration effectively shares restricted UH data with a 3rd party. Compliance to UH Data Governance policy is a prerequisite to any technical solution. More information on UH Data Governance policies is available:

UH Identity Provider Service Values for Service Providers

Service Providers require the following information so that their SP is able to interface successfully with the UH IdP.

IdP Info

UH Value

Notes

Identity Provider EntityID

https://idp.hawaii.edu/idp/shibboleth

Production Environment (and metadata source URL)

Identity Provider EntityID

https://idp-test.its.hawaii.edu/idp/shibboleth

Test Environment (and metadata source URL)

Administrator Email Address

its-iam-help@lists.hawaii.edu


(info) UH is considered to be an Identity Provider.

Attribute Release Practices

  • Vet each attribute release request with the UH Data Governance Committee.

  • Document and post each attribute release policy (below).

  • Release only the minimally required information.

  • Release targeted unique identifiers to 3rd party SPs to prevent them from pooling information to learn more about a person's purchasing habits (protects privacy).

Service Provider Test Environments Recommended

It is recommended that a test environment for the SP be available to test candidate configurations in our IdP test environment to ensure everything meets expectations before deployment to our production IdP environment. If unable to test candidate configurations in our IdP test environment first, we are capable of deploying candidates directly to our production environment, but change management procedures constrain this and limits how quickly we can test and deploy any necessary changes.

It is also highly recommended that an SP test environment be generally available beyond the initial service deployment. When the Shibboleth IdP is upgraded as necessary, An SP test environment will provide a means to test against any new IdP changes before the new versions are deployed to our production IdP environment.

Released Attributes

The attributes are released as specified by the attribute release policy set up for each SP. Below is a subset of the available attributes. UH generally uses the eduPerson schema.

Attribute

Description

Example Data

Additional Info

cn

Common Name

Jane Doe


sn

Surname

Doe


givenName

Given name

Jane


displayName

Preferred form of name for display

J. Doe

  • Optional, may not be present

eduPersonAffiliation

Campus affiliation

student


eduPersonScopedAffiliation

Campus affiliation @ scope (hawaii.edu)

student@hawaii.edu


eduPersonPrincipalName (ePPN)

UH Username '@' scope (hawaii.edu)

jdoe@hawaii.edu

  • These are never reassigned

eduPersonTargetedID (ePTID)

An opaque, persistent unique id for each person for each Service Provider.

yWuV78oU5z65ulepbaOCsrjHMtI=

  • This attribute is designed to help preserve user privacy by preventing different Service Providers from aggregating and matching user data

  • Recent Internet2 MACE-dir discussions suggest that this attribute may be depreciated in the future. eduPersonUniqueID is the heir apparent.

  • A cryptographically secure hash is utilized to create the unique identifier for each user for each Service Provider

uhEmail

Email address

jdoe@hawaii.edu

  • Single valued

  • These are never reassigned

uhUuid

UH Number

12341234

  • AKA Employee Id and Student Id

  • These are never reassigned

uid

UH Username

jdoe

  • These are never reassigned

uhOrgAffiliation

Organizational affiliations by role

eduPersonOrgDn=kauaicc,eduPersonAffiliation=faculty

  • May be multi-valued unordered set, returned order is not significant

principal

Name used to AuthN to the IdP

jdoe

  • Used for Google @ UH

More comprehensive information re attributes may be found here:

References

A good SAML primer