Single Sign-On (SSO)


Ocelot can use a college's single sign-on (SSO) for several purposes. This document outlines the requirements and steps to implement SSO for Ocelot applications.


Questions

A few questions need to be considered before moving forward:

  1. Does the college have separate SSO tenants for different populations (applicants, students, staff, faculty, etc)

  2. Does the college have separate SSO tenants for production and non-production (test) applications?

  3. Is the SSO solution SAML2 compliant?


The response to these will frame the requirements to set up SSO.


Configuration

The process of setting up SSO authentication with Ocelot involves the following steps:

  1. The college provides Ocelot with their SSO metadata, either with a URL or XML file.

  2. Ocelot will configure our applications and return our metadata.

  3. The college will use Ocelot metadata to configure their Identity Provider (IdP).

  4. When configuring your Identity Provider (IdP), Ocelot requires both the SAML Assertion and SAML Response to be signed.


If a college has separate SSO tenants for production and non-production (test) applications, then the above steps would be repeated twice (two metadata sets would be shared).


Mappings

As part of the SSO authentication, Ocelot requires the following claims to be released and mapped as listed:

Attribute

Mapped Name

First/Chosen Name

firstName

Last Name

lastName

Email

email

Full Name

fullname

Username

username

Student ID

nameID


If any of these attributes are not available, Ocelot will work with the college to ensure we have all the required fields.


Related article(s):