uConnect supports SAML 2.0 single sign-on (SSO) to improve accessibility, security, and convenience across your platform. This guide outlines everything you need to provide, how our setup process works, how to test, and how to maintain your SSO configuration over time. We support major campus identity providers including:

Microsoft Entra ID / Azure AD
Shibboleth / InCommon
Okta
Google Workspace
Any SAML 2.0-compliant IdP

Alternate authentication methods may be possible but require a technical review by the uConnect support team.

What We Need From You

To configure SSO, please provide the following (usually gathered by your IT team):

Primary technical contacts
- Name and email of your main SSO contact and an escalation contact.
Identity Provider (IdP) platform
- Example: Entra ID/Azure AD, Shibboleth, Okta, Google.
IdP metadata URL (preferred) or XML file
- A URL enables automatic certificate rollover.
The attribute to use as the persistent User ID
- Must be stable and unique. Common choices:
  - eduPersonPrincipalName (ePPN)
  - UPN
  - NameID
Attribute names for:
- Email
- First name
- Last name
Campus testers
- uConnect never receives or tests your credentials.
- Designate a few users who can authenticate through your IdP.
(Optional) Preferences such as:
- SSO button label (e.g., “Sign in with MyID”)
- Enforce SSO for certain email domains
- Auto-redirect users to your IdP when accessing protected pages
- Post-logout redirect URL

You can send all of this to uConnect support when ready.

How SSO Setup Works With uConnect

1) DNS and Domain Mapping

We finalize SSO only after your uConnect custom domain is live.
This ensures our Service Provider (SP) metadata includes the correct:

EntityID
ACS (Assertion Consumer Service) URL

Note: If you are onboarding a new uConnect platform, your onboarding manager will coordinate this step and connect your team with uConnect Technical Support for metadata exchange.

2) Exchange Metadata

You provide:
Your IdP metadata URL (preferred) or XML file.
We provide:
Your platform’s SP metadata URL after your branded DNS settings are applied.

Your IT team will use our SP metadata to create the SAML application in your IdP.

3) Map Required Attributes

uConnect requires four SAML attributes:

You may use NameID for the User ID. If your attribute naming is different, we can map to your preferred values.

4) Test SSO

The standard test URL is:

https://
  
   /account/login/sso

During testing:

Testers authenticate through your IdP.
uConnect displays their profile data.
We review the returned attributes and confirm they map correctly.
If attribute adjustments are needed, your IT team updates the IdP configuration and we retest.

Testing typically involves coordination between uConnect and your Identity/Security team.

When deeper troubleshooting is required

We may request a test account to allow our team to inspect the SAML assertion directly and resolve issues faster.

5) Go Live

Once testing is successful:

We enable the SSO button on your login page.
We apply your selected label (e.g., “Sign in with MyID”).
(Optional) We can enforce SSO for specific email domains.
(Optional) We can auto-redirect protected pages to your IdP.

Your SSO integration is now live for all applicable users.

Updating or Changing Your SSO Configuration

If you are an existing client and need to:

Update your IdP metadata
Change attribute mappings
Switch identity providers
Change button labels or SSO enforcement rules
Troubleshoot an active configuration

Please submit a support request with details on the update.
Include your:

IdP metadata URL/XML
Domain name
Desired changes

We will guide you through next steps and coordinate testing.

Common Attribute Values (Reference)

Standard SAML OID Attributes

Examples for major IdPs

If your campus uses alternate attributes, let us know and we’ll map them.

SSO Testing Checklist

Before going live, verify:

Testers are assigned to the SAML application in your IdP.
/account/login/sso correctly triggers your IdP login.
User ID, email, first name, and last name map correctly in uConnect.
Optional: logout sends users to your required post-logout page.
If you're using metadata files, note certificate expiration dates for future updates.

Troubleshooting Guide

If issues persist, submit a support request with screenshots and recent metadata.

SSO During New Platform Setup

If you are implementing uConnect for the first time:

Your onboarding team member will connect you with uConnect Technical Support.
Once your branded DNS is applied, we finalize metadata exchange.
You complete SSO testing immediately after DNS propagates.

Because our SP metadata URL changes after branded DNS is applied, SSO configuration must be tested after DNS finalization.

FAQs

Which identity providers do you support?
Any standards-compliant SAML 2.0 IdP (Azure AD, Shibboleth, Okta, Google, etc.).
Do you support signed assertions?
Yes—commonly used and fully supported.
Can we restrict access based on IdP groups/roles?
We recommend controlling access within your IdP. uConnect does not currently enforce group-based restrictions.
How are sessions handled?
If your IdP includes session expiration in its SAML response, we can respect that value.
What happens during certificate rollover?
If you provide a metadata URL, updates happen automatically.
If you provide a file, submit the updated metadata before the certificate expires.

Need Help?

Submit a support request any time you need assistance with:

Initial SSO setup
Metadata updates
Attribute mapping changes
Troubleshooting login issues
Migrating to a new IdP

Please include your IdP type and metadata URL/XML for the fastest support.

Instructions for integrating with SSO