Ocelot can use a college's single sign-on (SSO) for several purposes. This document outlines the requirements and steps to implement SSO for Ocelot applications.
SSO Overview
Admin SSO allows college staff members to connect to our client admin using their campus credentials.
Student SSO allows the college’s students to authenticate with their campus credentials to receive Ocelot services:
Answers in SIS integration chatbots
Live chat help
Access the GetCounseling/GetSAP portal
Questions
A few questions need to be considered before moving forward:
Does the college have separate SSO tenants for different populations (applicants, students, staff, faculty, etc)
Does the college have separate SSO tenants for production and non-production (test) applications?
Is the SSO solution SAML2 compliant?
The response to these will frame the requirements to set up SSO.
Configuration
The process of setting up SSO authentication with Ocelot involves the following steps:
The college provides Ocelot with its SSO metadata, either with a URL or XML file.
Ocelot will configure our applications and return our metadata.
The college will configure its Identity Provider (IdP) using Ocelot metadata.
- When configuring your Identity Provider (IdP), Ocelot requires both the SAML Assertion and SAML Response to be signed.
If a college has separate SSO tenants for production and non-production (test) applications, the above steps would be repeated twice (two metadata sets would be shared).
Mappings
Student chatbot integration & Live chat authentication
As part of the SSO authentication, Ocelot requires the following claims to be released and mapped as listed:
Admin Portal SSO & GetCounseling/GetSAP
As part of the SSO authentication, Ocelot requires the following claims to be released and mapped as listed:
If any of these attributes are unavailable, Ocelot will work with the college to ensure we have all the required fields.
Review the Single Sign-On (SSO) FAQ's article for frequently asked questions.