Connect to IU Login with the OpenID Connect protocol

On this page:


Before you begin

IU Login is compliant with OIDC, as well as some OAuth 2.0 features, using Shibboleth Identity Provider. To learn more about Shibboleth, see:

You'll need to understand your role as a Service Owner and the role of the Service Provider you will be sponsoring:

  • Service Owner: The department and individuals within Indiana University that are sponsoring the Shibboleth service account being requested. Service Owners are responsible for facilitating all communications and updates from the Service Provider to the Identity Management Systems (IMS) team. Every Service Provider must have a sponsoring department and contacts.
  • Service Provider: The organization that is providing a service to users who have identities established at IU. This organization can be inside or outside IU, but it must have an IU sponsor.

Connect your service

After familiarizing yourself with these roles, to connect your service to IU Login 2.0:

  1. Working with the Service Provider, complete the OIDC Integration Request form.
  2. Agree to fulfill the responsibilities and duties of a Service Owner for the referenced Service Provider by submitting the form.

OIDC specifications

IU Login is implementing the Shibboleth OpenID Connect (OIDC) protocol which uses OpenID Specifications.

Supported scopes

The OpenID Connect (OIDC) protocol returns scopes, which are typically a set of user attributes or claims. Some of the scopes are public, while others are restricted and require Data Steward approval. These scopes can also be viewed in the IU IdP attribute filters for the pre-production and production environments.

For additional OIDC technical information, refer to the pre-production and production configurations.

Public scopes

Scope Claim Friendly name Example
openid
subject-public;
subject-pairwise;
username;
eduPersonPrincipalName*;
iuhEppn*;
guestEppn*
Username Scoped ID;
Persistent ID;
Username;
ePPN for University account;
ePPN for IU Health;
ePPN for IU Guest
johnnydo@iu.edu;
dcjkfdsih67wse87wer (calculated from UID + salt);
johnnydo;
johnnydo@iu.edu;
johnnydo@iuhealth.org;
9876543210@guest.iu.edu
profile
sn;
givenName;
displayName;
username
Preferred last name;
Preferred first name;
Preferred first and last name;
Username
Doe;
Johnny;
Johnny Doe;
johnnydo
email mail;
email address
email;
emailAddress
johnnydo@domain (preferred email);
johnnydo@domain (preferred email)
roles
entityScopedEduPersonEntitlement
eduPersonEntitlement iu-app-users

Restricted scopes

Scope Claim Common name Example
legal
legalSn;
legalGivenName;
legalMiddleName
Legal last name;
Legal first name;
Legal middle name
Doe;
Jonathan;
Jacob
id UniversityID University ID 9876543210
affiliation
eduPersonAffiliation;
eduPersonScopedAffiliation
University affiliation;
University scoped affiliation
staff,student,member;
staff@iu.edu,student@iu.edu,member@iu.edu
campus iuwareCampus Campuses Bloomington, IUPUI, Southeast

* Only one of these three attributes will be passed based on the account type being authenticated.

This is document bhpr in the Knowledge Base.
Last modified on 2022-08-09 15:40:05.