8.7 Configuring Single Sign On (SSO)

This article outlines the procedure for setting up SAML2 integration for a risr/assess instance, e.g abc.risr/assess.net. It is recommended to share these guidelines with your local IT team who will be setting up SSO. Please request SSO setup support through your risr/ Service Delivery Lead, or alternatively raise a request through the risr/assess Service Desk.

In the SAML2 terminology, risr/assess is a Service Provider (SP), while the actual login process (entering username/password) is taking place on the Identity Provider (IdP) side, under full control of your organisation.

The Service Provider and Identity Provider usually make part of the information about their settings (public key, protocol endpoints, etc.) publicly available using a XML file - Metadata. risr/assess Metadata are published on the URL e.g https://abc.risr/assess.net/sp/shibboleth. This URL is at the same time an entityID of the SP - the unique SP identifier.

The first stage in the integration process is to exchange Metadata. When this is complete, the SP and the IdP are able to communicate and we are only one step from the successful integration.

Secondly we need to agree on the information about users which the IdP shares with the SP. Along with information about the user logging in, the IdP sends a set of Attributes - basically id/value pairs. We require that in the set of Attributes there are at least two attributes - a unique user identifier and e-mail, usually we use:

  1. eppn (urn:oid:1.3.6.1.4.1.5923.1.1.1.6), (username in the format user@domain)

  2. email (urn:oid:0.9.2342.19200300.100.1.3)

Optionally, we can also make use of another attributes, like firstName and lastName which we can use to populate the corresponding user profile fields.

It is advised that the unique user identifier attribute (like eppn) contains a human readable value, because it is necessary that this value is identical to the local risr/assess user profile name, for the user to be able to log in.