Follow

SSO: Populi as Identity Provider (IdP)

Populi supports SAML 2.0 single sign-on as either a Service Provider (SP) or Identity Provider (IdP). This article covers the IdP setup.

  • When functioning as an identity provider, Populi accepts incoming authentication requests and provides a login page. When the user has successfully authenticated, Populi will redirect them back to your external application.
  • When functioning as a service provider, Populi won't store user passwords and will instead redirect users to your SAML 2.0 Identity Provider instead. Once the user has authenticated on your system, they will be redirected back to Populi where we will validate the response and then allow them access.
  • You cannot use Populi as both Identity Provider and Service Provider: it has to be either the authoritative source for user credentials or it has to look to an external system, but not both.
  • To set up SSO, you need to have Account Admin privileges to your school's Populi account.

Populi as Identity Provider (IdP)

idp
  • If your application needs to authenticate against user accounts stored in Populi, use the metadata URL (in XML format) found at https://yourcollege.populiweb.com/router/saml/idp/metadata
  • Its IdP certificate can be found at https://yourcollege.populiweb.com/router/account/sso_idp_cert
  • If you want to use Google Apps for Education through Populi, our support team will set up Google Apps to use Populi as an Identity Provider as part of the integration.

Setup

To set up Populi as an IdP, you'll provide information about the service providers you wish to authenticate against Populi user accounts.

  1. Go to Account > Account Settings > SSO (IdP).
  2. Under Should other applications be allowed to authenticate against Populi?, you have three options:
    • Never let other applications authenticate: This prevents Populi from being used as Identity Provider.
    • Always let other applications authenticate: Allows any application to authenticate against Populi.
    • Choose which applications can authenticate: Lets you specify service providers that can authenticate against Populi.
  3. When you select Always... or Choose..., you'll be given the option to Add a service provider.
    • Name: The name by which this service provider will be identified within Populi.
    • Entity ID: The same entity_IDas that of the service provider.
    • X509 Certificate: Copy-paste the certificate contents or leave this blank if you want to skip the identity check. If you are given an error message that the X509 certificate is not valid, then look for spaces in the certificate file and remove them! Some services will insert a space every 64 characters by default and those would need to be removed.
    • Consumer URLs: If you enter one URL per line, Populi will only send responses to these locations (this prevents man-in-the-middle attacks). This setting is ignored for signed requests, since in that case the SP's identity has already been verified.
    • Status: Is the application Active or Inactive?
  4. If desired, you can also use Advanced settings:
    • SAML Signature:Message Only(default), Assertion Only, or Message and Assertion
    • NameId Format: Email Address(default), Unspecified, Persistent, or Transient
    • NameId Template: This lets you exactly customize the format of the NameId sent back in the SAML replies. The default is {username}@domain
    • Logout Redirect URL: If you wish to redirect users somewhere else upon logging out, enter it here. Otherwise they will return to your school's Populi login page.
    • Custom Parameters: You may specify additional parameters to send back in the SAML reply with name and value. The following parameters are included by default:
      FirstName
      LastName
      Email
      PopuliID
      urn:oid:0.9.2342.19200300.100.1.3
      urn:oid:0.9.2342.19200300.100.1
  5. See below for a list of variables you can use.
  6. Finally, click Add service provider.

Variables

The following options are available for most variables:

  • width
  • padding=left|right
  • padding_char
  • Example: {populi_id:width=20,padding=left,padding_char=0}

Important identifiers like username or populi_ id will ignore the width option rather than be truncated, but names can be truncated.

Multiple variables can be combined in a single SAML attribute value: {first_name:width= 1}. {user_name}@{domain}

Available Variables:

  • {user-name} Example: johndoe123
  • {domain} Example: yourschool.edu If your school has multiple domains, this will be the one associated with this user.
  • {first_ name} Example: John
  • {last_name} Example: Doe
  • {preferred_name} Example: Johnny
  • {display_name} Example: John "Johnny" Doe, Jr.
  • {initials} Example: JJD
  • {populi_id} Example: 997844
  • {student_id} Example: DOE202600001
  • {roles} All the Populi roles for a user, for example: [STUDENT_BILLING, FACULTY] This is a repeating SAML attribute.
  • {edu_affiliation} Some mix of standard eduPerson roles: [faculty, staff, student, member] If a user is faculty, staff, or student, then they also get member. This is a repeating SAML attribute.
  • {edu_scoped _affiliation} Some mix of standard eduPerson roles: [faculty@yourdomain.edu, staff@yourdomain.edu, student@yourdomain.edu, member@yourdomain.edu] This is a repeating SAML attribute.
  • {edu_primary_affiliation} The first or "highest" role from the user's list of edu_affiliation roles above.
  • {UUID} Example: A random UUID that changes for each SAML request.
  • {random} A random integer which changes for each SAML request. 10 digits long by default, but can be changed with the width option.
Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.