Integrate IU Login with a web application

On this page:


Overview

At Indiana University, you can integrate IU Login into your web application to provide single sign-on authentication. IU Login supports a variety of protocols, each of which accommodates different application requirements. If your web application is within Enterprise Systems or you're interested in recommendations, review these practices for managing access by the Technology Advisory Group (TAG).

Important:

The CAS software, which has been synonymous with authentication at IU, is distinct from the CAS protocol. Most existing applications use the Security Assertion Markup Language (SAML) protocol to integrate with the CAS software (via Shibboleth). If you have integrated with CAS in the past, do not assume that your application will need to connect with the CAS protocol.

Note:
To stay informed or provide feedback about IU Login, or to ask questions about developing with it, use the auth-discuss-l mailing list. To subscribe, send email to auth-discuss-l-subscribe@iu.edu.

Choose an authentication protocol

To help you determine which authentication solution best suits your service, use the following table to compare how each protocol accommodates the requirements your service may have:

  CAS SAML OIDC ECP
Recommendation 1 Hold Adopt Trial Trial
Protocol(s) supported CAS 2.0
SAML 1.0 and 2.0, and features up to Shibboleth 4.0.1
OpenID Connect
SAML 1.0 and 2.0, and features up to Shibboleth 4.0.1 via Enhanced Client or Proxy
Infrastructure IU Login 2.0 IU Login 2.0 IU Login 2.0 IU Login 2.0
Service URL support HTTPS only HTTPS only HTTPS only HTTPS only
University account attributes returned
Username only
IU email address 2 (username@iu.edu) by default as well as public and restricted attributes by request
IU email address 2 (username@iu.edu) by default as well as public and restricted attributes by request
IU email address 2 (username@iu.edu) by default as well as public and restricted attributes by request
IU Guest email login support Yes Yes Coming in future release No
IU Guest social login support No
Yes; Facebook, Google, Microsoft
Coming in future release No
IU Health login support No Yes No No
Unified login experience No Yes Yes Yes
Custom app code support
Retired; IU application codes are no longer supported
Not supported Not supported Not supported
Authorization support
Rigid authorization configuration 3
Flexible authorization configurations
Flexible authorization configurations
Flexible authorization configurations
Recommended library Apereo Not necessary Not necessary Not necessary
Knowledge Base instructions Connect to IU Login with the CAS protocol Connect to IU Login with the SAML protocol Coming soon Coming soon
Notes:

Recommendation 1: For details, see the TAG legend.

IU email address 2: This is officially referred to as eduPersonPrincipalName, or ePPN.

Rigid authorization configurations 3: Certain types of information are restricted to allow all-or-nothing access only. For example, to see a person's address, you must have access to everything else in that group.

Supported attributes

Most of the protocols above support eduPerson values, which are detailed in the REFEDS specification. Some of the attributes are public, while others are restricted and require Data Steward approval.

Public attributes

  • Primary Email (johnnydo@iupui.edu)
  • Display Name (Johnny Doe)
  • First Name (Johnny)
  • Last Name (Doe)
  • eduPersonPrincipalName (johnnydo@iu.edu)

Restricted attributes

  • University ID (0123456789)
  • eduPersonScopedAffiliation (staff@iu.edu)
  • eduPersonEntitlement (service-specific)

Migrate to IU Login 2.0

Applications integrated with the legacy infrastructure were expected to migrate to IU Login 2.0 by June 15, 2021.

Important:
If your application is still set up with the legacy infrastructure but is no longer functioning properly, you need to register it with Identity Management Systems. To do so, send email to imsinfo@iu.edu and include the application address, protocol, and environment (stage and/or production), along with a link to any associated Jira tickets.

To begin the migration process, first identify your application's authentication protocol.

Note:
The CAS software, which has been synonymous with authentication at IU, is distinct from the CAS protocol. Most existing applications use the SAML protocol to integrate with the CAS software (via Shibboleth). If you have integrated with CAS in the past, do not assume that your application will need to connect with the CAS protocol.

CAS protocol

  1. Complete the CAS Integration Request form.
  2. When you are notified that the integration has been set up, update your application to connect to the new infrastructure. For details, see How CAS works at IU.
    • This step may be completed for both production and pre-production environments.

SAML protocol

  1. Complete the SAML Integration Request form.
  2. When you are notified that the integration has been set up, have your application's identity provider updated. For details, see Values for connecting your application to IU Login with the SAML protocol.
    • This step may be completed for both production and pre-production environments.

Related documents

This is document atfc in the Knowledge Base.
Last modified on 2021-06-22 16:14:10.