UC Davis offers SAML 2.0 for single sign-on (SSO) authentication.
If you are new to SAML, these links may be useful for an overview:
- https://wiki.shibboleth.net/confluence/display/CONCEPT
- https://spaces.at.internet2.edu/display/federation/InCommon+Federation+Library
Questions for the Vendor and/or Department Sponsor:
- Please provide any document(s) describing your SAML integration requirements and technical specifics.
- What are the Entity IDs for your SAML SPs?
- Development/QA/UAT, if any.
- Production.
- What SAML attributes do you expect to receive? (With SAML 2 URIs, if known)
- Which attribute(s) are required, which are optional?
- Which attribute(s) do you expect/want as identifiers?
- Do you require the identifying attribute to be expressed as a SAML
NameID
? If so, which SAMLNameIDFormat(
s)?
- Do you support:
- SP-initiated SSO?
- Unsolicited SSO (aka IdP-initiated SSO)?
- SAML 2.0 encryption?
- If not, please provide evidence your implementation is either not subject to or has been recently patched against recent XML Signature attacks.
- What is(are) the SSO-initiation URL(s) for your service? I.e., what triggers SAML authentication?
- Does the application require an SSO test account?
- What attributes are needed for the test account? N.b. some attributes, such as student ID, are not available for test accounts.
- A test account generally requires a temporary affiliate (TAF) sponsorship by the department.
- MFA
- Does the application require MFA? If so, does the application support the REFEDS MFA profile?
- Does the application require an exemption from MFA? N.b. an exemption generally requires review/approval by the campus ISO.
- How do you handle logout?
- Log out locally from the application, leaving user's SSO session intact?
- SAML SLO (complete logout)?
- How do you handle provisioning of new users? Do they need to be pre-identified in your system, or do you create accounts on first login (aka just-in-time provisioning)?
- How do you handle account de-provisioning? People may need to have access to your system revoked even though they may still be able to authenticate through UC Davis SSO.
- Given UC Davis manages computing accounts for several different types of affiliates, how do you control access to the application (authorization)?
...