This information is for members of the SCU community who want to integrate an application they manage into SCU’s SSO infrastructure and the MySCU Portal. Over 75 different applications are part of SCU’s SSO integration.
We welcome new applications into SSO! For a consultation about bringing your application into SSO, please contact the Technology Help Desk.
What is SSO?
Single Sign On is a technical service that allows application administrators to rely on a single source of account data, and allows members of the campus community to use one SCU Username and Password to access multiple services.
What are the benefits of SSO?
SSO provides a simple, streamlined and familiar login process for accessing applications. When members of our community see the https://login.scu.edu prompt, they know that they are accessing a legitimate service, where it is safe to enter their SCU credentials, whether or not the application is hosted by SCU. By having a shared authentication service, SSO minimizes the number of username and password combinations that people need to remember, and ensures that applications do not need to store and protect end-user credentials. Because SSO is tied to SCU’s identity-management process, SSO credentials quickly and automatically reflect changes in status, and provide a single point of control to minimize risk when an account is compromised. (Note, this is not instantaneous; the change in status will not be known by the application until the information is refreshed, typically by the user logging out and logging back in.)
How do I get started bringing my application into SSO?
The SSO team welcomes SCU application administrators to bring their applications into Shibboleth. Once “Shibbolized,” web applications are added as tiles within the MySCU Login Portal, where they are easily accessed by members of the campus community. For a consultation about bringing your application into SSO, please contact the Technology Help Desk.
SSO terminology:
The Identity Provider (IdP) is the SSO system itself. The IdP is responsible for user authentication, and for providing user information to the Service Provider (SP). For SCU, the IdP is our Shibboleth service at https://login.scu.edu. Information Services runs the IdP on behalf of SCU.
The Service Provider (SP) is the application that users are using SSO to access. The SP may be internal to SCU, or may be a third party like Canvas, Google, or Workday.
If you are requesting that an application be added to SSO, then your application is the SP, and you as the SP administrator have some responsibilities within the SSO framework:
- Provide an introduction to your vendor’s IT team for SSO integration work
- Coordinate any ongoing changes on your vendor’s side of the SSO integration (such as periodic certificate updates)
- Provide and maintain the information needed on the MySCU tile
- Manage tile visibility using the Entitlement Manager (documentation, access is limited to SCU)
How does SSO work?
This diagram shows the interaction between the user, the Identity Provider and the Service Provider:
Here’s what happens when the user connects to a SSO-protected service:
- The SP detects the user attempting to access restricted content within the resource.
- The SP generates an authentication request, then sends the request, and the user, to the user's IdP.
- The IdP authenticates the user, then sends the authentication response, and the user, back to the SP.
- The SP verifies the IdP's response and sends the request through to the resource which returns the originally requested content.