Base Requirements
Each Institution that desires to use Security Assertion Markup Language (SAML) authentication for access to OhioLINK resources must be an InCommon member utilizing InCommon’s Federation services. The InCommon Federation establishes a multilateral trust among all Federation Participants, removing the requirement for each pair of trusting institutions to exchange and configure authentication for shared resources. Instead, each Participant establishes trust with the Federation operator.
A requirement of participating in the InCommon Federation is that each Institution is responsible for setting up, customizing, and maintaining a Shibboleth Identity Provider (IdP) unique to their individual network configurations and security policies.
Although many different technologies can be used for the Institution’s IdP, some may require extra work to satisfy the requirements for InCommon Federation. These may include running a Shibboleth proxy or utilizing a third-party vendor bridge, for example.
More information about InCommon’s Federation services is available through the InCommon website. InCommon also maintains baseline expectations for the Federation services as a means to increase trust and interoperability among InCommon Federation participants.
Please note: At this time, Azure AD is not compatible with InCommon. Some institutions have used a third-party bridge service and others have used a SAML proxy to make this connection.
Attributes
Shibboleth IdPs can offer Service Providers (SPs) information about the user's account by way of user attributes. These pull information from the user database and IdPs can control which SPs are allowed to access which attributes. OhioLINK SPs require the attributes “urn:mace:dir:attribute-def:eduPersonPrincipalName” (a unique identifier for the institution member) and “urn:mace:dir:attribute-def:eduPersonScopedAffiliation” (which defines what type of patron the account corresponds to). These serve multiple purposes:
- Determines if the user is allowed to access OhioLINK content,
- Faculty, student, & staff are allowed
- Alumni, 3rd party affiliates, or visitors are not
- Content abuse detection so that stolen or misused member accounts can be quickly determined and addressed
Institutions with multiple campuses using the same IdP may also need to supply an attribute describing the user's home campus. Different branches will often have different subscription subsets of the services that OhioLINK provides and, if we are to offer remote access to those services, we will need to ensure that students are only able to access their home campus' subset. OhioLINK suggests that the attribute localityName be used for this information (as defined in the orgPerson specifications) and a list of possible values will need to be provided so that we can set up the pattern matching.
Setting up SAML Authentication
If your institution would like to start using SAML for authentication to the OhioLINK platforms (EJC, EBC, etc.), please let us know by entering a support ticket.