Registration policy for Student Projects using Single Sign On

This policy describes the service available and the conditions of use for
projects being created as part of an academic programme of study at the
University of Kent to federate with Kent’s Single Sign On system.

Service Offering

Kent’s Single Sign On platform (sso.id.kent.ac.uk) is based on SAML2 and uses SimpleSAMLphp as an Identity Provider (IDP) however you are free to implement the SAML2 protocol using whatever software you would like.

Our standard attribute release policy provides:

• uid (username)
• mail (email address)
• unikentaccountType (you can use this as a role, includes “staff”, “ugtstudent”, “pgtstudent”, “alum” etc)

A full list of attributes and their possible values is available on request. Please let us know your requirements.

Our metadata is available at the following URL:

https://sso.id.kent.ac.uk/idp/saml2/idp/metadata.php?output=xhtml

Registration and obligations

If you’d like to federate via SAML2, please submit a Service Request to
helpdesk@kent.ac.uk with the following details:

1. SAML2 XML Metadata for the Service Provider (SP). Please note the following restrictions:
   • Your EntityID must conform to the UK Access Management Federation’s policy on naming
   • Your SAML2 endpoints must be fully qualified DNS names rather than, for example, localhost or 192.168.1.5
2. Technical contact(s)
3. Kent staff member to act as sponsor (normally project supervisor)
4. A descriptive name for the service

A consent page will be enabled asking the user to confirm that they
are happy for their information to be transferred to your SP. Users will
be able to have their decision “remembered”.

Attribute data transferred as part of the SAML2 protocol may be subject to, among other things, the provisions of the Data Protection Act 1998
and should be processed and stored accordingly. Please consult your supervisor in the first instance if you have any queries about this.

Technical details

Attributes transferred during a SAML2 conversation will, where possible, be
named using the urn:oid namespace. For instance, a person’s username will
have the attribute name urn:oid:0.9.2342.19200300.100.1.1.

You are expected to implement and/or support LogoutRequests from the IDP
and honour any Conditions imposed on session length imposed by the
Assertion.

While the IDP handles the Authentication (AuthN) process, the role of
Authorisation (AuthZ) sits with the SP. You should request suitable
attributes to be able to make an authorization decision appropriate for your
service. For example, you will probably want to limit access to only a
subset of the values of the unikentaccountType attribute to exclude
Alumni, visitors etc.

Annual review

Registrations made under this policy will be reviewed in July each year
when the technical contacts and sponsor will be contacted to confirm the
registration is still required. Registrations no longer required will be revoked on or shortly after 1st September each year.

Further details

If you’re a student with the School of Computing then their RAPTOR service has a simple integration with Single Sign On available already and may provide what you’re looking for. Details available at raptor.kent.ac.uk.

If you have any questions about the process or how SSO and/or SAML2 in general should be used at the University then please contact helpdesk@kent.ac.uk.