...
...
...
...
...
...
Table of Contents
Table of Contents | ||
---|---|---|
|
UH Login Integration Request Form
Requests for integrating your application with UH Login (CAS or Shibboleth) are now available via a single Kuali Build form.
Use this link to make a request:
...
Integrations include CAS URL registrations and Shibboleth Identity Provider service metadata sharing.
Authentication and Data Governance Information
The following information is also provided in the request form and as is maintained here for legacy reasons and will likely be removed in the future. See the above link for access to the form.The cloud service provider you are working with will need to work with the IAM team to integrate their application with our UH Login Service. UH uses the Shibboleth IdP to provide this service.
If you are utilizing a 3rd-party service provider, the release of attributes to this 3rd party requires UH Data Governance Process approval. See below for more information.
A Data Governance Process approval is not required if the Service Provider is a member of Internet2 or the InCommon Federation. The services offered by these
Providersproviders are already covered by UH contracts and agreements.
- This should minimally include the source of SAML metadata for the SP[*]; required/requested attributes; and any other requirements, such as a specific SAML NameID format
- If the SP
If the 3rd party service provider is a member of the the InCommon Federation,
metadata should be available through their aggregate metadatathe UH Login Service may already interoperate with the 3rd party service provider.
UH credentials and the UH Login service are used for UH applications as well as for select 3rd-party, cloud-based applications. To request integration to a new 3rd-party, there are two components to the request:
a Data Governance approval request from the UH Data Governance office, and
a 3rd-party integration request from the ITS Identity and Access Management team.
Data Governance Request
The UH Data Governance component is required because the integration effectively shares restricted “restricted” UH data with a 3rd party. Compliance to UH Data Governance policy is a prerequisite to any technical solution. More information on UH Data Governance policies is available:
UH Identity Provider Service Values for Service Providers
Service Providers require the following information so that their SP is able to interface successfully with the UH IdPIdentity Provider service.
IdP Info | UH Value | Notes |
---|---|---|
Identity Provider EntityID | Production Environment (and metadata source URL) | |
Identity Provider EntityID | Test Environment (and metadata source URL) | |
Administrator Email Address | ||
UH is considered to be an Identity Provider. |
Attribute Release Practices
Vet each attribute release request with the UH Data Governance Committee.
Document and post each attribute release policy (below).
Release only the minimally required information.
Release targeted unique identifiers to 3rd party
SPsservice providers to prevent them from pooling information to learn more about a person's purchasing habits (protects privacy).
Service Provider Test Environments Recommended
It is recommended that a test environment for the SP service provider be available to test candidate configurations in our IdP UH identity provider test environment to ensure everything meets expectations before deployment to our production IdP environment. If unable to test candidate configurations in our IdP test environment first, we are capable of deploying candidates directly to our production environment, but change management procedures constrain this and limits how quickly we can test and deploy any necessary changes.
It is also highly recommended that an SP a service provider test environment be generally available beyond the initial service deployment. When the Shibboleth IdP is upgraded as necessary, An SP test environment will provide a means to test against any new IdP integration changes before the new versions are deployed to our production IdP Identity Provider environment.
Released Attributes
The attributes are released as specified by the attribute release policy set up for each SP. Below is a subset of the available attributes. UH generally uses the eduPerson schema.
Attribute | Description | Example Data | Additional Info |
---|---|---|---|
Common Name | Jane Doe | ||
Surname | Doe | ||
Given name | Jane | ||
Preferred form of name for display | J. Doe |
|
| |||
Campus affiliation | student | ||
Campus affiliation @ scope (hawaii.edu) | student@hawaii.edu | ||
eduPersonPrincipalName (ePPN) | UH Username '@' scope (hawaii.edu) | jdoe@hawaii.edu |
|
eduPersonTargetedID (ePTID) | An opaque, persistent unique id for each person for each Service Provider. | yWuV78oU5z65ulepbaOCsrjHMtI= |
|
| |||
Email address | jdoe@hawaii.edu |
| |
UH Number | 12341234 |
| |
UH Username | jdoe |
| |
Organizational affiliations by role | eduPersonOrgDn=kauaicc,eduPersonAffiliation=faculty |
| |
Name used to AuthN to the IdP | jdoe |
|
More comprehensive information re for these attributes may be found here:
InCommon Federation Default Attribute Bundle
We release the following attributes by default to members of the InCommon Federation:
displayName (if available)
References
A good SAML primer