All Collections
School Administrators
Single Sign-On Integration
Single Sign-On Integration

Follow these steps to set up single sign-on

Albert avatar
Written by Albert
Updated over a week ago

CampusGroups supports two Single Sign On methods: CAS and SAML.

All SSO methods will match the provided user identifier against the email and netid values in user profiles.


In addition, the SAML integration can automatically provision new users as they first sign in if necessary using Just In Time Provisioning

For CAS integrations

For the SAML integration (which can be used with most standard identity providers, including Shibboleth, ADFS, Azure AD, etc)

CampusGroups SAML Information

Basic SSO Configuration Requirements

  1. Add our Service Provider as a trusted party

    1. For InCommon Federation Members, use our EntityID

    2. For Non InCommon Federation Members, use our Metadata URL

  2. Provide your Metadata information

    1. For InCommon Federation Members provide the entityId of your Identity Provider

    2. For Non InCommon Federation Members

      1. Provide a link to your Metadata or a copy of the Metadata File itself

      2. Provide the entityId of your Identity Provider

  3. Confirm user identifier attribute release.

    Attributes must be released in urn:oid format and may require additional configuration in your Identity Provider system.

    You will need to release at least one attribute with a name from the following list and whose value will be used as the primary identifier for users signing in:


    Attributes are case sensitive and should be lower case.

    1. urn:oid:1.3.6.1.4.1.5923.1.1.1.6 (also referred to as "eppn"; only applicable for customers running Shibboleth IdP as their Identity Provider using a configuration that matches the EduPerson standard)

    2. urn:oid:0.9.2342.19200300.100.1.3 (also referred to as "mail"; best choice if the primary identifier you will be releasing also serves as a valid email address for the user)

    3. urn:oid:0.9.2342.19200300.100.1.1 (also referred to as "uid"; best choice if the primary identifier you will be releasing is not a valid email address for the user)

  4. Please send this information to our Support team at support@campusgroups.com. We will configure your SSO connection and follow up with testing and verification next steps.

Just-In-Time Provisioning

If you are planning on enabling provisioning of new users as they first sign in through SAML, please inform your Implementation Team, Campus Success Associate, or email support@campusgroups.com who will assist in gathering the necessary information to set up these features.

To configure JIT Provisioning through SSO you will need to release additional supported attributes from the list at the bottom of this article which can be mapped to first name, last name, email, netid, account type and year of graduation similar to:

  • urn:oid:2.5.4.42 -> first name

  • urn:oid:2.5.4.4 -> last name

  • urn:oid:0.9.2342.19200300.100.1.3 -> email address

  • urn:oid:1.3.6.1.4.1.5923.1.1.1.9 -> account type

If the attribute mapped to Account Type is single valued (for example if passing a "primary affiliation" with a single value), we will also need the mapping information that translates possible values for this attribute to the matching Account Type in CampusGroups plus a default Account Type for unmapped values; for example:

  • student => CG Student

  • faculty => CG Staff & Faculty

  • staff => CG Staff & Faculty

  • DEFAULT => CG Guest

If the attribute mapped to Account Type is multi-valued (for example if passing a list of affiliations for the user), we will also need the mapping information that translates possible combinations of values for this attribute to the matching Account Type in CampusGroups and/or which Account Type to map to based on a value present in the list and finally a default Account Type for unmapped values; for example:

  • employee,student => CG Student Employee

  • faculty => CG Staff & Faculty

  • employee,faculty => CG Staff & Faculty

  • staff => CG Staff & Faculty

  • employee,staff => CG Staff & Faculty

  • CONTAINS student => CG Student

  • DEFAULT => CG Guest

Note that exact combination matches take precedence over "CONTAINS" mapping which take precedence over the DEFAULT mapping.

Account type and year of graduation can be omitted, but since they are used for access control throughout the platform, we strongly suggest adding them.

If the values used for the account type attribute do not match the possible values configured on your CampusGroups platform, you will also need to provide us with the mapping between the two sets of values.

Supported Attributes

We are only able to accept these attribute Object Identifiers

Note that any of these fields can be mapped to any of the CampusGroups profile fields regardless of their default name.

  • urn:oid:1.3.6.1.4.1.5923.1.1.1.6 which is titled eppn (value must be scoped, eg username@your.domain.edu)

  • urn:oid:1.3.6.1.4.1.5923.1.1.1.9 which is titled affiliation (value must be scoped, eg staff@your.domain.edu)  

  • urn:oid:1.3.6.1.4.1.5923.1.1.1.1 which is titled unscoped-affiliation

  • urn:oid:1.3.6.1.4.1.5923.1.1.1.7 which is titled entitlement

  • urn:oid:1.3.6.1.4.1.5923.1.1.1.5 which is titled primary-affiliation

  • urn:oid:1.3.6.1.4.1.5923.1.1.1.2 which is titled nickname

  • urn:oid:1.3.6.1.4.1.5923.1.1.1.8 which is titled primary-orgunit-dn

  • urn:oid:1.3.6.1.4.1.5923.1.1.1.4 which is titled orgunit-dn

  • urn:oid:1.3.6.1.4.1.5923.1.1.1.3 which is titled org-dn

  • urn:oid:1.3.6.1.4.1.5923.1.1.1.11 which is titled assurance

  • urn:oid:1.3.6.1.4.1.5923.1.5.1.1 which is titled member

  • urn:oid:1.3.6.1.4.1.5923.1.6.1.1 which is titled eduCourseOffering

  • urn:oid:1.3.6.1.4.1.5923.1.6.1.2 which is titled eduCourseMember

  • urn:oid:1.3.6.1.4.1.5923.1.9 which is titled eduPermissionGroup  

  • urn:oid:2.5.4.3 which is titled cn

  • urn:oid:2.5.4.4 which is titled sn

  • urn:oid:2.5.4.42 which is titled givenName

  • urn:oid:2.16.840.1.113730.3.1.241 which is titled displayName

  • urn:oid:0.9.2342.19200300.100.1.1 which is titled uid

  • urn:oid:0.9.2342.19200300.100.1.3 which is titled mail

  • urn:oid:2.5.4.20 which is titled telephoneNumber

  • urn:oid:2.5.4.12 which is titled title

  • urn:oid:2.5.4.43 which is titled initials

  • urn:oid:2.5.4.13 which is titled description

  • urn:oid:2.16.840.1.113730.3.1.1 which is titled carLicense

  • urn:oid:2.16.840.1.113730.3.1.2 which is titled departmentNumber

  • urn:oid:2.16.840.1.113730.3.1.3 which is titled employeeNumber

  • urn:oid:2.16.840.1.113730.3.1.4 which is titled employeeType

  • urn:oid:2.16.840.1.113730.3.1.39 which is titled preferredLanguage

  • urn:oid:0.9.2342.19200300.100.1.10 which is titled manager

  • urn:oid:2.5.4.34 which is titled seeAlso

  • urn:oid:2.5.4.23 which is titled facsimileTelephoneNumber

  • urn:oid:2.5.4.9 which is titled street

  • urn:oid:2.5.4.18 which is titled postOfficeBox

  • urn:oid:2.5.4.17 which is titled postalCode

  • urn:oid:2.5.4.8 which is titled st

  • urn:oid:2.5.4.7 which is titled l

  • urn:oid:2.5.4.10 which is titled o

  • urn:oid:2.5.4.11 which is titled ou

  • urn:oid:2.5.4.15 which is titled businessCategory

  • urn:oid:2.5.4.19 which is titled physicalDeliveryOfficeName

Please contact support@campusgroups.com with any questions.

Did this answer your question?