labradford
commented
1 year ago The University of Pittsburgh implements SAML via Shibboleth 2, both within the InCommon Federation, and as a direct Identity Provider.
Useful information on the InCommon Federation can be found here: https://incommon.org/federation/ https://incommon.org/software/shibboleth/ https://www.technology.pitt.edu/help-desk/how-to-documents/shibboleth-incommon-and-attributes I would recommend this approach over a direct Identity Provider / Service Provider integration, as the Federation will provide access for many, many potential clients with minimal additional configuration.
If a direct IdP/SP connection is required, even just for testing, our IdP metadata can be found at: https://passport.pitt.edu/idp/shibboleth
SoftServ will create a Shibboleth-based authentication plug-in that can be enabled on a per-tenant basis, with support for the InCommon Federation. When enabled, Hyku login will require direction of a user to an Identity Provider (IdP) or WAYF (Where Are You From) page, and ultimately processes a SAML response to authenticate the user's identity. User attributes (username, email, name?, roles) are processed from SAML attributes to the Hyku user. New accounts are created on-the-fly from first-time SAML authentications. This will be enabled or disabled (ie., use basic Hyku Devise-based authentication) by an admin at the tenant level. Ability for basic auth for admins will still exist regardless.
SoftServ will work with Pitt in collaboration with the PALNI/PALCI team to align implementation of this requirement. This will be implemented as a plug-in that can be pointed to a specific IDP or WAYF page, to which Hyku will send username and email for authentication.