Single Sign On
When enabled, single sign on allows members to create and log in to their Wisr accounts using their institution's login credentials. Rather than creating a new login and password, members can simply click to sign in with their school login information. This article details what is required to set up SSO with Wisr.
Wisr’s single sign on module allows you to connect to any SAML2 Identity Provider for federated identity management into Wisr.
InCommon
As a member of InCommon, our Service Provider (SP) is registered with the InCommon metadata. Setting up your InCommon Identity Provider (IdP) is a fully turnkey solution and requires zero setup in Wisr. If you operate a SAML2 IdP that is not in InCommon, there is some setup that needs to occur for our solution to connect with your IdP securely.
Configuration
Configuring single sign on requires two parameters:
- Login Brand Name
- Entity ID
Your Login Brand Name will be used to brand your SSO button so that it is identifiable to your members:
In this case, we’ve configured Login Brand Name to be OneOwl. Note how that is displayed on the sign in/sign up page.
If you're a member of InCommon, configuring the Entity ID for your IdP will work out of the box with no additional configuration. If you’re not a member of InCommon, please reach out to us for help getting your IdP registered with our Service Provider.
New members
Once the SSO module is configured, any of your members can sign up for your Wisr site using your SAML2 IdP at any time. Wisr will create a new member account and profile, and any attributes released by your IdP will be used by our system to pre-populate the new profile.
Supported Attributes
We support the following attributes (reference: https://www.internet2.edu/help/attribute-release-policy/):
| Attribute | OID |
| * eduPersonPrincipalName (eppn) | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 |
| eduPersonAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 |
| urn:oid:0.9.2342.19200300.100.1.3 | |
| givenName | urn:oid:2.5.4.42 |
| sn | urn:oid:2.5.4.4 |
| displayName | urn:oid:2.16.840.1.113730.3.1.241 |
| O | urn:oid:2.5.4.4 |
| * required | |
Integrating with pre-verifications
You can use our pre-verification system to append data to your members’ profiles at sign-up time by using an email address. Our SSO module will try a variety of methods for linking to a pre-verification. We try to match a signup to a pre-verifiaction in the following order of precedence:
- Invitation code - regardless of how a user logins in - SSO or otherwise - our primary method of linking to a pre-verification is to look up the unique code generated for each pre-verification
- SSO mail attribute matches pre-verification email address - each profile in Wisr is unique based on email address, so we try as much as possible to depend on email
- SSO eppn attribute matches pre-verification email address - if we cannot match on the mail attribute, we fall back to the eppn attribute
- SSO eppn attribute matches pre-verification unique ID
If found, we’ll copy over any data you’ve specified, like unique id, custom fields, and education/degree data. It is important to keep all of this in mind when setting up your mail and eppn attributes when setting up your SSO system. If not, we will not be able to link new SSO signups with the correct pre-verification records.
Linking to an existing member account
If an existing account was created in Wisr using a standard email/password login, or another form of authentication, we support linking an SSO account to the existing account. In the Account Settings screen, navigate to the branded SSO login configuration page. From there, use the “Connect your Single Sign On account” button to connect the SSO account to the existing Wisr account.
