Connect to IU Login with the OpenID Connect protocol
On this page:
Before you begin
IU Login is compliant with OIDC, as well as some OAuth 2.0 features, using Shibboleth Identity Provider. To learn more about Shibboleth, see:
You'll need to understand your role as a Service Owner and the role of the Service Provider you will be sponsoring:
- Service Owner: The department and individuals within Indiana University that are sponsoring the Shibboleth service account being requested. Service Owners are responsible for facilitating all communications and updates from the Service Provider to the Identity Management Systems (IMS) team. Every Service Provider must have a sponsoring department and contacts.
- Service Provider: The organization that is providing a service to users who have identities established at IU. This organization can be inside or outside IU, but it must have an IU sponsor.
Connect your service
After familiarizing yourself with these roles, to connect your service to IU Login 2.0:
- Working with the Service Provider, complete the OIDC Integration Request form.
- Agree to fulfill the responsibilities and duties of a Service Owner for the referenced Service Provider by submitting the form.
OIDC specifications
IU Login is implementing the Shibboleth OpenID Connect (OIDC) protocol which uses OpenID Specifications.
Supported scopes
The OpenID Connect (OIDC) protocol returns scopes, which are typically a set of user attributes or claims. Some of the scopes are public, while others are restricted and require Data Steward approval. These scopes can also be viewed in the IU IdP attribute filters for the pre-production and production environments.
For additional OIDC technical information, refer to the pre-production and production configurations.
Public scopes
Scope | Claim | Friendly name | Example |
---|---|---|---|
openid |
Username Scoped ID;
Persistent ID; Username; ePPN for University account; ePPN for IU Health; ePPN for IU Guest |
johnnydo@iu.edu;
dcjkfdsih67wse87wer (calculated from UID + salt); johnnydo; johnnydo@iu.edu; johnnydo@iuhealth.org; 9876543210@guest.iu.edu |
|
profile |
sn;
givenName; displayName; username |
Preferred last name;
Preferred first name; Preferred first and last name; Username |
Doe;
Johnny; Johnny Doe; johnnydo |
mail;
email address |
email;
emailAddress |
johnnydo@domain (preferred email);
johnnydo@domain (preferred email) |
|
roles |
entityScopedEduPersonEntitlement
|
eduPersonEntitlement | iu-app-users |
Restricted scopes
Scope | Claim | Common name | Example |
---|---|---|---|
legal |
legalSn;
legalGivenName; legalMiddleName |
Legal last name;
Legal first name; Legal middle name |
Doe;
Jonathan; Jacob |
id | UniversityID | University ID | 9876543210 |
affiliation |
eduPersonAffiliation;
eduPersonScopedAffiliation |
University affiliation;
University scoped affiliation |
staff,student,member;
staff@iu.edu,student@iu.edu,member@iu.edu |
campus | iuwareCampus | Campuses | Bloomington, IUPUI, Southeast |
* Only one of these three attributes will be passed based on the account type being authenticated.
This is document bhpr in the Knowledge Base.
Last modified on 2022-08-09 15:40:05.