Versions Compared

Old Version 17

changes.mady.by.user Tom Poage

Saved on

compared with

New Version Current

changes.mady.by.user Tom Poage

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

UC Davis offers SAML 2.0 for single sign-on (SSO) authentication.

If you are new to SAML, these links may be useful for an overview:

Questions for the Vendor and/or Department Sponsor:

  1. Please provide any document(s) describing your SAML integration requirements and technical specifics.
  2. What are the Entity IDs for your SAML SPs?
    1. Development/QA/UAT, if any.
    2. Production.
  3. What SAML attributes do you expect to receive?  (With SAML 2 URIs, if known)
    1. Which attribute(s) are required, which are optional?
    2. Which attribute(s) do you expect/want as identifiers?
    3. Do you require the identifying attribute to be expressed as a SAML NameID? If so, which SAML NameIDFormat(s)?
  4. Do you support:
    1. SP-initiated SSO?
    2. Unsolicited SSO (aka IdP-initiated SSO)?
    3. SAML 2.0 encryption?
      1. If not, please provide evidence your implementation is either not subject to or has been recently patched against recent XML Signature attacks.
  5. What is(are) the SSO-initiation URL(s) for your service? I.e., what triggers SAML authentication?
  6. Does the application require an SSO test account?
    1. What attributes are needed for the test account? N.b. some attributes, such as student ID, are not available for test accounts.
    2. A test account generally requires a temporary affiliate (TAF) sponsorship by the department.
  7. MFA
    1. Does the application require MFA? If so, does the application support the REFEDS MFA profile?
    2. Does the application require an exemption from MFA? N.b. an exemption generally requires review/approval by the campus ISO.
  8. How do you handle logout?
    1. Log out locally from the application, leaving user's SSO session intact?
    2. SAML SLO (complete logout)?
  9. How do you handle provisioning of new users?  Do they need to be pre-identified in your system, or do you create accounts on first login (aka just-in-time provisioning)?
  10. How do you handle account de-provisioning? People may need to have access to your system revoked even though they may still be able to authenticate through UC Davis SSO.
  11. Given UC Davis manages computing accounts for several different types of affiliates, how do you control access to the application (authorization)?

...