Single Sign On Integration

The platform supports two Single Sign On methods: CAS and SAML.
All SSO methods will match the provided user identifier against the "netid" field or the "email" field on the platform.
In addition, the SAML integration can automatically provision new users as they first sign in if necessary. 

For the CAS integration:

• You will need to provide us with the CAS base url to use (https://domain.edu/idp/profile/cas/ for instance)

For the SAML integration (which can be used with most standard identity providers, including Shibboleth, ADFS, etc):

1. a) If you are a member of the InCommon federation:

• You will need to provide us with the entityId of your Identity Provider
• You will need to add our Service Provider as a trusted party using our entityId "https://www.campusgroups.com/shibboleth"

   1. b) If you are not a member of the InCommon federation:

• You will need to provide us a link to your metadata file
• You will need to add our Service Provider as a trusted party using our metadata url " https://www.campusgroups.com/Shibboleth.sso/Metadata" and our entityId "https://www.campusgroups.com/shibboleth"

   2. You will need to release at least one of the following attributes which will be used as the primary identifier for users signing in:

• eppn (urn:oid:1.3.6.1.4.1.5923.1.1.1.6)
• mail (urn:oid:0.9.2342.19200300.100.1.3)
• uid (urn:oid:0.9.2342.19200300.100.1.1)

   3. Once this is done, we will set up your SSO url which will look like "https://www.campusgroups.com/shibboleth/yourschool"

   4. You will then be able to test signing in, and once you confirm that the SSO works correctly through this link, we will add the SSO login button to the login page for your platform.

In addition:

If you are planning on enabling provisioning of new users as they first sign in through SAML, you will need to release additional attributes from the following list of supported attributes which can be mapped to first name, last name, email, netid, account type and year of graduation.
Account type and year of graduation can be omitted, but since they are used for access control throughout the platform, we strongly suggest adding them.
If the values used for the account type attribute do not match the possible values configured on your CampusGroups platform, you will also need to provide us with the mapping between the two sets of values. 

Please find the list of supported attributes below:
Note that any of these fields can be mapped to any of the CampusGroups profile fields regardless of their default name.

• urn:oid:1.3.6.1.4.1.5923.1.1.1.6 which is titled eppn (value must be scoped, eg username@your.domain.edu)
• urn:oid:1.3.6.1.4.1.5923.1.1.1.9 which is titled affiliation (value must be scoped, eg staff@your.domain.edu)  
• urn:oid:1.3.6.1.4.1.5923.1.1.1.1 which is titled unscoped-affiliation
• urn:oid:1.3.6.1.4.1.5923.1.1.1.7 which is titled entitlement
• urn:oid:1.3.6.1.4.1.5923.1.1.1.5 which is titled primary-affiliation
• urn:oid:1.3.6.1.4.1.5923.1.1.1.2 which is titled nickname
• urn:oid:1.3.6.1.4.1.5923.1.1.1.8 which is titled primary-orgunit-dn
• urn:oid:1.3.6.1.4.1.5923.1.1.1.4 which is titled orgunit-dn
• urn:oid:1.3.6.1.4.1.5923.1.1.1.3 which is titled org-dn
• urn:oid:1.3.6.1.4.1.5923.1.1.1.11 which is titled assurance
• urn:oid:1.3.6.1.4.1.5923.1.5.1.1 which is titled member
• urn:oid:1.3.6.1.4.1.5923.1.6.1.1 which is titled eduCourseOffering
• urn:oid:1.3.6.1.4.1.5923.1.6.1.2 which is titled eduCourseMember
• urn:oid:1.3.6.1.4.1.5923.1.9 which is titled eduPermissionGroup  
• urn:oid:2.5.4.3 which is titled cn
• urn:oid:2.5.4.4 which is titled sn
• urn:oid:2.5.4.42 which is titled givenName
• urn:oid:2.16.840.1.113730.3.1.241 which is titled displayName
• urn:oid:0.9.2342.19200300.100.1.1 which is titled uid
• urn:oid:0.9.2342.19200300.100.1.3 which is titled mail
• urn:oid:2.5.4.20 which is titled telephoneNumber
• urn:oid:2.5.4.12 which is titled title
• urn:oid:2.5.4.43 which is titled initials
• urn:oid:2.5.4.13 which is titled description
• urn:oid:2.16.840.1.113730.3.1.1 which is titled carLicense
• urn:oid:2.16.840.1.113730.3.1.2 which is titled departmentNumber
• urn:oid:2.16.840.1.113730.3.1.3 which is titled employeeNumber
• urn:oid:2.16.840.1.113730.3.1.4 which is titled employeeType
• urn:oid:2.16.840.1.113730.3.1.39 which is titled preferredLanguage
• urn:oid:0.9.2342.19200300.100.1.10 which is titled manager
• urn:oid:2.5.4.34 which is titled seeAlso
• urn:oid:2.5.4.23 which is titled facsimileTelephoneNumber
• urn:oid:2.5.4.9 which is titled street
• urn:oid:2.5.4.18 which is titled postOfficeBox
• urn:oid:2.5.4.17 which is titled postalCode
• urn:oid:2.5.4.8 which is titled st
• urn:oid:2.5.4.7 which is titled l
• urn:oid:2.5.4.10 which is titled o
• urn:oid:2.5.4.11 which is titled ou
• urn:oid:2.5.4.15 which is titled businessCategory
• urn:oid:2.5.4.19 which is titled physicalDeliveryOfficeName