Skip to main content

Instructions for integrating with SSO

Implement your institution's universal credentialing system to allow students and faculty to pass from one authenticated tool to the next.

Shannon Desmond avatar
Written by Shannon Desmond
Updated over 3 weeks ago

uConnect supports SAML 2.0 single sign-on (SSO) to improve accessibility, security, and convenience across your platform. This guide outlines everything you need to provide, how our setup process works, how to test, and how to maintain your SSO configuration over time. We support major campus identity providers including:

  • Microsoft Entra ID / Azure AD

  • Shibboleth / InCommon

  • Okta

  • Google Workspace

  • Any SAML 2.0-compliant IdP

Alternate authentication methods may be possible but require a technical review by the uConnect support team.

What We Need From You

To configure SSO, please provide the following (usually gathered by your IT team):

  1. Primary technical contacts

    • Name and email of your main SSO contact and an escalation contact.

  2. Identity Provider (IdP) platform

    • Example: Entra ID/Azure AD, Shibboleth, Okta, Google.

  3. IdP metadata URL (preferred) or XML file

    • A URL enables automatic certificate rollover.

  4. The attribute to use as the persistent User ID

    • Must be stable and unique. Common choices:

      • eduPersonPrincipalName (ePPN)

      • UPN

      • NameID

  5. Attribute names for:

    • Email

    • First name

    • Last name

  6. Campus testers

    • uConnect never receives or tests your credentials.

    • Designate a few users who can authenticate through your IdP.

  7. (Optional) Preferences such as:

    • SSO button label (e.g., “Sign in with MyID”)

    • Enforce SSO for certain email domains

    • Auto-redirect users to your IdP when accessing protected pages

    • Post-logout redirect URL

You can send all of this to uConnect support when ready.

How SSO Setup Works With uConnect

1) DNS and Domain Mapping

We finalize SSO only after your uConnect custom domain is live.
This ensures our Service Provider (SP) metadata includes the correct:

  • EntityID

  • ACS (Assertion Consumer Service) URL

Note: If you are onboarding a new uConnect platform, your onboarding manager will coordinate this step and connect your team with uConnect Technical Support for metadata exchange.

2) Exchange Metadata

  • You provide:
    Your IdP metadata URL (preferred) or XML file.

  • We provide:
    Your platform’s SP metadata URL after your branded DNS settings are applied.

Your IT team will use our SP metadata to create the SAML application in your IdP.

3) Map Required Attributes

uConnect requires four SAML attributes:

Purpose

Attribute Name (example)

OID / Claim URI Example

User ID (unique & persistent)

ePPN, UPN, or NameID

urn:oid:1.3.6.1.4.1.5923.1.1.1.6 (ePPN)

Email

email

urn:oid:0.9.2342.19200300.100.1.3

First name

givenName

urn:oid:2.5.4.42

Last name

sn / surname

urn:oid:2.5.4.4

You may use NameID for the User ID. If your attribute naming is different, we can map to your preferred values.

4) Test SSO

The standard test URL is:

https://<your-uconnect-host>/account/login/sso

During testing:

  1. Testers authenticate through your IdP.

  2. uConnect displays their profile data.

  3. We review the returned attributes and confirm they map correctly.

  4. If attribute adjustments are needed, your IT team updates the IdP configuration and we retest.

Testing typically involves coordination between uConnect and your Identity/Security team.

When deeper troubleshooting is required

We may request a test account to allow our team to inspect the SAML assertion directly and resolve issues faster.

5) Go Live

Once testing is successful:

  • We enable the SSO button on your login page.

  • We apply your selected label (e.g., “Sign in with MyID”).

  • (Optional) We can enforce SSO for specific email domains.

  • (Optional) We can auto-redirect protected pages to your IdP.

Your SSO integration is now live for all applicable users.

Updating or Changing Your SSO Configuration

If you are an existing client and need to:

  • Update your IdP metadata

  • Change attribute mappings

  • Switch identity providers

  • Change button labels or SSO enforcement rules

  • Troubleshoot an active configuration

Please submit a support request with details on the update.
Include your:

  • IdP metadata URL/XML

  • Domain name

  • Desired changes

We will guide you through next steps and coordinate testing.

Common Attribute Values (Reference)

Standard SAML OID Attributes

Field

Attribute Key

OID / Example

UserID

eduPersonPrincipalName

urn:oid:1.3.6.1.4.1.5923.1.1.1.6

Email

mail

urn:oid:0.9.2342.19200300.100.1.3

First name

givenName

urn:oid:2.5.4.42

Last name

sn / surname

urn:oid:2.5.4.4

Examples for major IdPs

Field

Shibboleth/InCommon

Microsoft Entra ID/Azure AD

Okta

Google

User ID

ePPN OID above

…/identity/claims/upn

userID

uid

Email

mail OID

…claims/emailaddress

email

email

First

givenName OID

…claims/givenname

firstName

given_name

Last

sn OID

…claims/surname

lastName

family_name

If your campus uses alternate attributes, let us know and we’ll map them.

SSO Testing Checklist

Before going live, verify:

  • Testers are assigned to the SAML application in your IdP.

  • /account/login/sso correctly triggers your IdP login.

  • User ID, email, first name, and last name map correctly in uConnect.

  • Optional: logout sends users to your required post-logout page.

  • If you're using metadata files, note certificate expiration dates for future updates.

Troubleshooting Guide

Symptom

Likely Cause

How to Fix

Campus “Access Denied” page after login

User is not assigned to the SAML app

Assign user or update group claims

“Missing TARGET parameter” (Okta only)

Old saml1 endpoint in use

Update to the Okta saml2 SSO URL

uConnect reports missing User ID attribute

IdP is not releasing the expected attribute

Release the attribute or tell us the correct one to map

Signature/certificate errors

IdP signing certificate changed

Send updated metadata or metadata URL

If issues persist, submit a support request with screenshots and recent metadata.

SSO During New Platform Setup

If you are implementing uConnect for the first time:

  1. Your onboarding team member will connect you with uConnect Technical Support.

  2. Once your branded DNS is applied, we finalize metadata exchange.

  3. You complete SSO testing immediately after DNS propagates.

Because our SP metadata URL changes after branded DNS is applied, SSO configuration must be tested after DNS finalization.

FAQs

  1. Which identity providers do you support?
    Any standards-compliant SAML 2.0 IdP (Azure AD, Shibboleth, Okta, Google, etc.).

  2. Do you support signed assertions?
    Yes—commonly used and fully supported.

  3. Can we restrict access based on IdP groups/roles?
    We recommend controlling access within your IdP. uConnect does not currently enforce group-based restrictions.

  4. How are sessions handled?
    If your IdP includes session expiration in its SAML response, we can respect that value.

  5. What happens during certificate rollover?
    If you provide a metadata URL, updates happen automatically.
    If you provide a file, submit the updated metadata before the certificate expires.

Need Help?

Submit a support request any time you need assistance with:

  • Initial SSO setup

  • Metadata updates

  • Attribute mapping changes

  • Troubleshooting login issues

  • Migrating to a new IdP

Please include your IdP type and metadata URL/XML for the fastest support.


Did this answer your question?