Integrate with IU Guest 2.0

• Overview
• Integrate with IU Guest 2.0
  • Review IU Guest 2.0 features and functionality
  • Choose IU Guest account type(s)
  • Collect IU Guest integration data
  • Complete the appropriate integration form
  • Respond to testing requests from IMS
  • Add links to your application
  • Release your application to production
• Email message template for notifying existing users

Overview

IU Login supports IU Guest accounts for IU applications and services. IU Guest 2.0 was released in mid-2020, featuring security enhancements and support for social login. Instructions for migrating an existing IU Login integration to support IU Guest 2.0 or setting up a new integration are below. The Identity Management Systems (IMS) team receives integration requests.

Integrate with IU Guest 2.0

Follow the instructions below to integrate with IU Guest 2.0. As the sponsor, you are expected to provide the necessary integration data as well as coordinate and test the setup.

1. Review IU Guest 2.0 features and functionality: Familiarize yourself with login processes, account creation, and account management in IU Guest 2.0.
2. Choose IU Guest account type(s): There are two types of IU Guest accounts: those with email login (with an email address and password as credentials), and those with social login via social providers (Facebook, Google, and Microsoft). A sponsor application may choose to support one type or both.
   Important:

   To support IU Guest accounts with social login, sponsors must integrate with the SAML (Shibboleth) protocol. The CAS and OIDC protocols only support accounts with email login.
   Note:

   As of September 21, 2020, all integrations with social login must support all three social providers. If you are interested in only supporting select social providers (for example, only Google, or just Microsoft and Facebook), provide a business rationale in the comments of the IU Login: Allow select social providers per application ticket and watch the issue.
3. Collect IU Guest integration data: To submit an IU Guest 2.0 integration request, you will need:
   • The application name: Use the same name provided in your IU Login CAS or SAML Integration Request Form. Submitters receive copies of form entries by email; you can also access your submitted form entries on FireForm.
   • The application environment(s): For example, production and/or pre-production; IMS strongly recommends that you choose the same environment(s) as your IU Login integration.
   • Your group account username: This is only required to grant API permissions for invitations or existing account lookup.
   • Account creation prompt:
     • When a user arrives on the IU Guest account creation confirmation page, a call to action button appears below the user's account details to encourage a next step:

       

     • If you want users to log in with a new account, IMS recommends a Log in to [sponsor application] button. The application's shire (Assertion Consumer Service URL from the metadata) is required if users will not be sent back to the default shire in the metadata. A fallback URL is also required in case of error.
     • If you want users to go to a specific web address, IMS recommends a Go to [sponsor site] button. The sponsor site address is required for this approach.
   • Account creation sponsor message (optional): This message will be included in confirmation messages sent to users upon account creation.
4. Complete the appropriate integration form:
   • If you are migrating your application to IU Login 2.0, complete the CAS Protocol Integration Request or SAML Integration Request form, making the appropriate selections and using the integration data collected above.
   • If you have already migrated to IU Login 2.0, complete the IU Guest Integration Request form using the integration data collected above.
5. Respond to testing requests from IMS: IMS will make you a watcher on a Jira ticket and communicate with you through the comments on the ticket, including to set a release date for your service.
   • To obtain an IU Guest account to test on the pre-production environment, visit this URL (replacing myappname with the serviceName you submitted in the form):

     https://stg.login.iu.edu/guest?serviceName=myappname

   • To use an API to look up existing accounts or send account creation invitation emails, see the External Accounts API Documentation.
   Important:

   If you are integrating with the SAML protocol, IMS strongly recommends that you notify all current IU Guest account users of the upcoming change to the login process. See the draft notification template below.
6. Add links to your application: Consider adding the following links to your application or service as you prepare to go live with the IU Guest 2.0 infrastructure:
   • Account creation (required): Add a Create an IU Guest account button in a convenient place. This button should link to (replacing myappname with your serviceName):

     https://login.iu.edu/guest?serviceName=myappname

   • Account management (optional): Place a Manage IU Guest account button within the application, linking to:

     https://login.iu.edu/guest/summary

7. Release your application to production.

Email message template for notifying existing users

If you are integrating with the SAML protocol, you can use the draft template below to notify existing IU Guest account holders of a scheduled migration to IU Login 2.0. IMS recommends that you send this notification twice: once two weeks before the migration date, and again two days before the migration.

Hi [first name],

You are receiving this email because you've used your IU Guest account with [application name]. On [day, month, date], the way you log in to [application name] will change as the login infrastructure is being updated. Instead of entering your email address and password into the Username and Passphrase fields, you will:

1. Click the Guest tab (top right)
2. Click the Log in with email button
3. Enter your email address and password

These screenshots display each of the steps outlined above.

Frequently asked questions

Will my username and password change?

No, your IU Guest account username and password will remain the same. If you have forgotten your password, you may reset it here.

Will my [application name] profile change?

No, this migration does not affect your [application name] profile.

Will the login service remember my selections?

Yes, once you attempt to log in using the process outlined above, your selections (Guest tab, Log in with email button) may be remembered by the browser on the device you’re using.

What if I want to use social login (Facebook, Google, Microsoft) to access my account?

If you attempt to log in with a social provider (Facebook, Google, or Microsoft) or create a new account and the email address associated with the new account matches your existing account, then your new and existing accounts will be linked and your [application name] profile will not be changed. However, if the email address associated with the new account does not match the existing account, then the accounts will not be linked and a new [application name] profile will be created that is not linked to your existing profile.

Also, if your IU Guest account is used with other IU applications, those applications may or may not support social login.

Getting help

The IU Knowledge Base is a valuable resource for using your IU Guest account and includes step-by-step instructions. If you have questions or need assistance, please contact the UITS Support Center.

UITS Support Center
Phone and email support
812.855.6789
317.274.4357
ithelp@iu.edu