Single-Sign-On, or SSO, allows student, faculty and administrative users at your school to log into Osmosis using their school credentials. You can learn more about how SSO works here. Osmosis supports SSO through the SAML 2.0 protocol.
Osmosis will create a one-to-one SAML connection with your school. We are not a member of and do not support federations (Federated Identity Management or FIM. Learn about the difference between SSO and FIM here.)
These are some of the SAML-based IDP’s that our partner schools have used to set up an SSO connection with us; if your IDP isn’t listed but supports SAML 2.0 please connect us with your IT team and we’ll look into supporting your IDP as well. (A complete list of SAML-based IDP’s can be found here.)
ADFS
MS Azure
Okta
Open Athens
Shibboleth
Here is a list of SAML-based products and services, one or more of which may be used at your school.
Osmosis (the Service Provider or SP) requires the school (the Identity Provider or IDP) to pass the student email or a unique identifier (sent as subject-id) as attributes as part of the SSO implementation. This is an IDP-initiated SSO process.
Basic process for implementing SSO with Osmosis for your school:
Partner School shares their FederationMetadata.xml file with Osmosis.
Osmosis shares their FederationMetadata.xml file with the school.
Osmosis creates a test account in the Osmosis DB.
School uses that same account to log into Osmosis using the new SSO end point.
School approves eligible users in school's active directory.
Osmosis implements SSO on the production site and redirects, from osmosis.org, eligible School users to the school portal for authentication:
FAQs:
Can we connect via the Open Athens, In Common, UK federation, or another federation? --Unfortunately, not at this time. The SSO connection will need to be created between your School's IDP and Osmosis directly.
Can I use SHA256 for the XML signature? Yes! That is our preferred standard.
By default, what attribute should our IDP send to Osmosis? Please send urn:oasis:names:tc:SAML:attribute:subject-id.
Can our school send an anonymous identifier for users in our system? Yes! We'll talk you through this process.
Can OpenAthens be used to create an SSO connection with Osmosis? If your school has OpenAthens, you may be familiar with the term Federated Identity Management. While Osmosis does not support FIM to establish Single Sign On, you can still establish a one-to-one SSO connection with Osmosis through OpenAthens custom SAML.
What is OpenAthens Custom SAML? We recommend reading OpenAthens’ resource on creating and managing custom SAML resources within their product.