ITS Operations : SSO - Deploying

Created by Clay Cooper, last modified on Oct 25, 2024

Table of Contents

Software Options

Shibboleth Service Provider

The Shibboleth project provides a service provider that integrates with Apache and IIS. The major operating systems are supported. Installation information is available on the Shibboleth project website.

Advantages

  • Easily integrates with existing applications that support basic authentication

  • Runs as a binary for better performance

  • Can be used to quickly convert from other basic authentication modules

  • Can share sessions when used across multiple web servers when load balancing

  • Flexible to use with multiple hostnames or applications

Disadvantages

  • Requires coordination with the server administrator to install and configure

More information on deploying the Shibboleth Service Provider.

OneLogin SAML Toolkits

OneLogin has five open-sourced SAML libraries for popular web development platforms including ASP.NET, Python, Ruby, PHP and Java. They distributed under the MIT software license, a very permissive license. Development documentation can be found on the OneLogin website.

Advantages

  • Reduces the complexity needed to SAML-enable an application

  • Open Source

Disadvantages

  • Requires knowledge of the web application

  • Documentation is minimal

More information on deploying a service provider using OneLogin PHP SAML Toolkit.

More information on deploying a service provider using OneLogin Python SAML Toolkit.

Native Application Support

Many applications natively support Shibboleth or SAML-based authentication. Typically this is the cleanest way to integrate an application with single sign-on.

Advantages:

  • Requires no additional software

  • Minimal configuration required

  • Improved session support

Disadvantages

  • May not work if not fully SAML compliant

  • Is the only option when using hosted services

Connecting to RIT's Identity Provider

Once the service provider software is installed and configured open a ticket with the ITS Service Desk and provide the following:

  1. Location of the service provider's metadata (The Shibboleth Service Provider software makes this available at https://yourhostname/Shibboleth.sso/Metadata)

  2. Contact information of the application or server administrator.

  3. The purpose of the application.

  4. A list of desired attributes. Example: first name, last name, title, etc.

  5. Also include:

    • How the attributes will be used (authorization of users, profile information, etc.)

      • A full list of attributes along with how they are organized and maintained can be found at Directory Schema.

    • If the attributes will be stored

    • If the server complies with the ISO server security standard

Note: Information about users is only provided when a user authenticates. SAML-based authentication is not a queryable directory. If you need user information for people who may not authenticate to the service please contact the ITS Service Desk for options.

Multi-factor Authentication (Duo)

ITS manages who will be prompted for MFA, for what services, and in what situations. If you have questions, contact the ITS Identity and Access Management team at https://help.rit.edu/.