Download Setup Instructions: ARMS_SSO_Setup.pdf
β
Compliance + Recruiting provides Single Sign-On (SSO) capabilities through integration with university systems via the Shibboleth system. Shibboleth is a web-based technology that implements the HTTP/POST, artifact, and attribute push profiles of SAML, including both Identity Provider (IdP) and Service Provider (SP) components. While Compliance + Recruiting utilizes Shibboleth as its SP Provider, ARMS can support SSO via a SAML integration with a number of providers. This includes, but is not limited to: Shibboleth, OKTA, and Microsoft AD/Azure.
β
Setting up SSO is very easy and can be set up by your IT group with the following steps. Please note that we prefer to do the initial configuration and testing in our testing environment.
1. Your IT group will load Compliance + Recruiting's information into your "IdP"
Compliance + Recruiting public key for testing is located at https://clients.armssoftware.com/sso/sp-metadata.staging.xml.
Compliance + Recruiting public key for production is located at https://clients.armssoftware.com/sso/sp-metadata.xml.
2. Your IT group will need to provide answers to the following questions:
A. Where can we obtain the metadata for your production IdP? (ex: https://shib.university.edu/idp/shibboleth)
B. Do you have a logout endpoint that Compliance + Recruiting should redirect to when a user logs out of Compliance + Recruiting, for any cleanup tasks that need to occur on your end during logout? If so, what is the URL?
C. Do you have a preferred attribute (ie: eduPersonPrincipalName, email) that you would like to send from your IdP that we can use to identify the user? Note: Compliance + Recruiting prefers to use the eduPersonPrincipalName attribute but can work with your IT group if they prefer an alternative. The only requirement is that the attribute be fully scoped, which means the value sent over will include your domain name (ie: username@university.edu).
D. Do you have a test user account we can use to attempt authentication? What are the credentials?
3. Compliance + Recruiting will set everything up to point to your university's login page.
4. Initial testing will be completed by Compliance + Recruiting using the test account provided. After testing, Compliance + Recruiting will provide you with a link to confirm the SSO login process is working as expected. If there are any issues, then Compliance + Recruiting will work with your IT group to determine why the integration is not working.
5. Once SSO integration has been verified, the following steps will be completed:
A. Compliance + Recruiting will work with you to confirm that all staff and student-athletes are properly set up in Compliance + Recruiting with their University username.
B. You can optionally send an email to users telling them that they should now select the "Do you access Compliance + Recruiting with your school's central login?" link on the login page.
C. If a user attempts to log in with their old Compliance + Recruiting direct login, they will be prompted to select their school and login with your school credentials. This step, in particular, makes the transition pretty seamless.