/
UH Login Requests for 3rd-Party Integrations

UH Login Requests for 3rd-Party Integrations

Table of Contents

UH Login Integration Request Forms

Because integration with UH Login effectively shares “restricted” UH data with a 3rd party, UH Data Governance approval must first be obtained. See below for “Data Flow” information to be included on the DGO request form. While the request is pending, the IAM team can work with you and the vendor team on the technical aspects of the integration.

Request Data Governance Office approval: <Request DGO approval>

To request integrate with UH Login please use this form:

Request UH Login integration: <Request an integration>

To determine if your Service Provider is a participant of the InCommon Federation, this resource is available (or ask them):

Data Governance Request - Data Flow

This section will aid you with completing the Data Governance request form.

Use the information below to help with completing the UH Login portion of the form. For the remainder of the form, consult with the Data Governance Office or your assigned technical support staff.

III. A Data Flow

  • Data Source: UH Institutional Data System

    • Institutional Data System: Identity Management System (IMS) - For UH Login integration requests

    • Which campus(es): UH System

  • Data Destination: A 3rd-party service provider - better yet, provide the name of the service provider here.

  • Data Elements: [requested attributes, e.g. uhEmail, givenName, sn] - Your vendor should provide the exact list.

  • Data Transmission

    • How Often: Ad-hoc

    • Method: Secured SSL, UH Login

Authentication and Data Governance

The cloud service provider you are working with will need to work with the IAM team to integrate their application with our UH Login Service. UH uses the Shibboleth IdP to provide this service.

  • A Data Governance Process approval is not required if the Service Provider is a member of Internet2 or the InCommon Federation. The services offered by these providers are already covered by UH contracts and agreements.

  • If the 3rd party service provider is a member of the the InCommon Federation, the UH Login Service may already interoperate with the 3rd party service provider.

UH Identity Provider Service Values for Service Providers

Service Providers require the following information so that their SP is able to interface successfully with the UH Identity Provider service.

IdP Info

UH Value

Notes

IdP Info

UH Value

Notes

Identity Provider EntityID

https://idp.hawaii.edu/idp/shibboleth

Production Environment (and metadata source URL)

Identity Provider EntityID

https://idp-test.its.hawaii.edu/idp/shibboleth

Test Environment (and metadata source URL)

Administrator Email Address

its-iam-help@lists.hawaii.edu

 

UH is considered to be an Identity Provider in this context.

Service Provider Test Environments Recommended

It is recommended that a test environment for the service provider be available to test candidate configurations in our UH identity provider test environment to ensure everything meets expectations before deployment to our production environment. If unable to test candidate configurations in our test environment first, we are capable of deploying candidates directly to our production environment, but change management procedures constrain this and limits how quickly we can test and deploy any necessary changes.

It is highly recommended that a service provider test environment be generally available beyond the initial service deployment. When the Shibboleth IdP is upgraded as necessary, An SP test environment will provide a means to test against any new integration changes before the new versions are deployed to our production Identity Provider environment.

Released Attributes

The attributes are released as specified by the attribute release policy set up for each SP. Below is a subset of the available attributes. UH generally uses the eduPerson schema.

Attribute

Description

Example Data

Additional Info

Attribute

Description

Example Data

Additional Info

cn

Common Name

Jane Doe



sn

Surname

Doe



givenName

Given name

Jane



displayName

Preferred form of name for display

J. Doe

  • Optional, often not be present

eduPersonAffiliation

Campus affiliation

student



eduPersonScopedAffiliation

Campus affiliation @ scope (hawaii.edu)

student@hawaii.edu



eduPersonPrincipalName (ePPN)

UH Username '@' scope (hawaii.edu)

jdoe@hawaii.edu

  • These are never reassigned

uhEmail

Email address

jdoe@hawaii.edu

  • Single valued

  • These are never reassigned

uhUuid

UH Number

12341234

  • AKA Employee Id and Student Id

  • These are never reassigned

uid

UH Username

jdoe

  • These are never reassigned

uhOrgAffiliation

Organizational affiliations by role

eduPersonOrgDn=kauaicc,eduPersonAffiliation=faculty

  • May be multi-valued unordered set, returned order is not significant

principal

Name used to AuthN to the IdP

jdoe

  • Used for Google @ UH

More comprehensive information for these attributes may be found here:

InCommon Federation Default Attribute Bundle

We release the following attributes by default to members of the InCommon Federation: