CampusGroups supports two Single Sign On methods: CAS and SAML.
All SSO methods will match the provided user identifier against the "netid" field or the "email" field on the platform.
In addition, the SAML integration can automatically provision new users as they first sign in if necessary.
For the CAS integration:
You will need to provide us with the CAS base url to use (https://domain.edu/idp/profile/cas/ for instance)
For the SAML integration (which can be used with most standard identity providers, including Shibboleth, ADFS, Azure AD, etc):
1-A) If you are a member of the InCommon federation:
You will need to provide us with the entityId of your Identity Provider
You will need to add our Service Provider as a trusted party using our entityId "https://www.campusgroups.com/shibboleth"
1-B) If you are not a member of the InCommon federation:
You will need to provide us a link to your metadata file
You will need to add our Service Provider as a trusted party using our metadata url " https://www.campusgroups.com/Shibboleth.sso/Metadata" and our entityId "https://www.campusgroups.com/shibboleth"
2. You will need to release at least one attribute with a name from the following list and whose value will be used as the primary identifier for users signing in:
urn:oid:1.3.6.1.4.1.5923.1.1.1.6 (also referred to as "eppn"; only applicable for customers running Shibboleth IdP as their Identity Provider using a configuration that matches the EduPerson standard)
urn:oid:0.9.2342.19200300.100.1.3 (also referred to as "mail"; best choice if the primary identifier you will be releasing also serves as a valid email address for the user)
urn:oid:0.9.2342.19200300.100.1.1 (also referred to as "uid"; best choice if the primary identifier you will be releasing is not a valid email address for the user)
3. Once this is done, we will set up your SSO url which will look like "https://www.campusgroups.com/shibboleth/yourschool"
4. You will then be able to test signing in, and once you confirm that the SSO works correctly through this link, we will add the SSO login button to the login page for your platform.
Just-In-Time Provisioning:
If you are planning on enabling provisioning of new users as they first sign in through SAML, please inform your Implementation Team, Campus Success Associate, or email support@campusgroups.com who will assist in gathering the necessary information to set up these features.
To configure JIT Provisioning through SSO you will need to release additional supported attributes from the list at the bottom of this article which can be mapped to first name, last name, email, netid, account type and year of graduation similar to:
urn:oid:2.5.4.42 -> first name
urn:oid:2.5.4.4 -> last name
urn:oid:2.16.840.1.113730.3.1.241 -> preferred name
urn:oid:0.9.2342.19200300.100.1.3 -> email address
urn:oid:1.3.6.1.4.1.5923.1.1.1.9 -> account type
If the attribute mapped to Account Type is single valued (for example if passing a "primary affiliation" with a single value), we will also need the mapping information that translates possible values for this attribute to the matching Account Type in CampusGroups plus a default Account Type for unmapped values; for example:
student => CG Student
faculty => CG Staff & Faculty
staff => CG Staff & Faculty
DEFAULT => CG Guest
If the attribute mapped to Account Type is multi-valued (for example if passing a list of affiliations for the user), we will also need the mapping information that translates possible combinations of values for this attribute to the matching Account Type in CampusGroups and/or which Account Type to map to based on a value present in the list and finally a default Account Type for unmapped values; for example:
employee,student => CG Student Employee
faculty => CG Staff & Faculty
employee,faculty => CG Staff & Faculty
staff => CG Staff & Faculty
employee,staff => CG Staff & Faculty
CONTAINS student => CG Student
DEFAULT => CG Guest
Note that exact combination matches take precedence over "CONTAINS" mapping which take precedence over the DEFAULT mapping.
Account type and year of graduation can be omitted, but since they are used for access control throughout the platform, we strongly suggest adding them.
If the values used for the account type attribute do not match the possible values configured on your CampusGroups platform, you will also need to provide us with the mapping between the two sets of values.
Supported Attributes
We are only able to accept these attribute Object Identifiers
Note that any of these fields can be mapped to any of the CampusGroups profile fields regardless of their default name.
urn:oid:1.3.6.1.4.1.5923.1.1.1.6 which is titled eppn (value must be scoped, eg username@your.domain.edu)
urn:oid:1.3.6.1.4.1.5923.1.1.1.9 which is titled affiliation (value must be scoped, eg staff@your.domain.edu)
urn:oid:1.3.6.1.4.1.5923.1.1.1.1 which is titled unscoped-affiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.7 which is titled entitlement
urn:oid:1.3.6.1.4.1.5923.1.1.1.5 which is titled primary-affiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.2 which is titled nickname
urn:oid:1.3.6.1.4.1.5923.1.1.1.8 which is titled primary-orgunit-dn
urn:oid:1.3.6.1.4.1.5923.1.1.1.4 which is titled orgunit-dn
urn:oid:1.3.6.1.4.1.5923.1.1.1.3 which is titled org-dn
urn:oid:1.3.6.1.4.1.5923.1.1.1.11 which is titled assurance
urn:oid:1.3.6.1.4.1.5923.1.5.1.1 which is titled member
urn:oid:1.3.6.1.4.1.5923.1.6.1.1 which is titled eduCourseOffering
urn:oid:1.3.6.1.4.1.5923.1.6.1.2 which is titled eduCourseMember
urn:oid:1.3.6.1.4.1.5923.1.9 which is titled eduPermissionGroup
urn:oid:2.5.4.3 which is titled cn
urn:oid:2.5.4.4 which is titled sn
urn:oid:2.5.4.42 which is titled givenName
urn:oid:2.16.840.1.113730.3.1.241 which is titled displayName
urn:oid:0.9.2342.19200300.100.1.1 which is titled uid
urn:oid:0.9.2342.19200300.100.1.3 which is titled mail
urn:oid:2.5.4.20 which is titled telephoneNumber
urn:oid:2.5.4.12 which is titled title
urn:oid:2.5.4.43 which is titled initials
urn:oid:2.5.4.13 which is titled description
urn:oid:2.16.840.1.113730.3.1.1 which is titled carLicense
urn:oid:2.16.840.1.113730.3.1.2 which is titled departmentNumber
urn:oid:2.16.840.1.113730.3.1.3 which is titled employeeNumber
urn:oid:2.16.840.1.113730.3.1.4 which is titled employeeType
urn:oid:2.16.840.1.113730.3.1.39 which is titled preferredLanguage
urn:oid:0.9.2342.19200300.100.1.10 which is titled manager
urn:oid:2.5.4.34 which is titled seeAlso
urn:oid:2.5.4.23 which is titled facsimileTelephoneNumber
urn:oid:2.5.4.9 which is titled street
urn:oid:2.5.4.18 which is titled postOfficeBox
urn:oid:2.5.4.17 which is titled postalCode
urn:oid:2.5.4.8 which is titled st
urn:oid:2.5.4.7 which is titled l
urn:oid:2.5.4.10 which is titled o
urn:oid:2.5.4.11 which is titled ou
urn:oid:2.5.4.15 which is titled businessCategory
urn:oid:2.5.4.19 which is titled physicalDeliveryOfficeName
Please contact support@campusgroups.com with any questions.