{"id":295,"date":"2015-11-13T08:33:54","date_gmt":"2015-11-13T08:33:54","guid":{"rendered":"http:\/\/blogs.kent.ac.uk\/unseenit\/?page_id=295"},"modified":"2017-11-06T10:10:17","modified_gmt":"2017-11-06T10:10:17","slug":"registration-policy-for-student-projects-using-single-sign-on","status":"publish","type":"page","link":"https:\/\/blogs.kent.ac.uk\/unseenit\/registration-policy-for-student-projects-using-single-sign-on\/","title":{"rendered":"Registration policy for Student Projects using Single Sign On"},"content":{"rendered":"<p>This policy describes the service available and the conditions of use for<br \/>\nprojects being created as part of an academic programme of study at the<br \/>\nUniversity of Kent to <em>federate<\/em>\u00a0with Kent&#8217;s Single Sign On system.<\/p>\n<h2>Service Offering<\/h2>\n<p>Kent&#8217;s Single Sign On platform (sso.id.kent.ac.uk) is based on SAML2 and\u00a0uses <a href=\"https:\/\/simplesamlphp.org\/\">SimpleSAMLphp<\/a> as an <em>Identity Provider<\/em>\u00a0(IDP) however you are free to implement the <a href=\"https:\/\/en.wikipedia.org\/wiki\/SAML_2.0\">SAML2 protocol<\/a> using whatever software you would like.<\/p>\n<p>Our standard attribute release policy provides:<\/p>\n<ul>\n<li>uid (username)<\/li>\n<li>mail (email address)<\/li>\n<li>unikentaccountType (you can use this as a role, includes &#8220;staff&#8221;, &#8220;ugtstudent&#8221;, &#8220;pgtstudent&#8221;, &#8220;alum&#8221; etc)<\/li>\n<\/ul>\n<p>A full list of attributes and their possible values is available on request. Please let us know\u00a0your requirements.<\/p>\n<p>Our metadata is available at the following URL:<\/p>\n<pre><a href=\"https:\/\/sso.id.kent.ac.uk\/idp\/saml2\/idp\/metadata.php?output=xhtml\">https:\/\/sso.id.kent.ac.uk\/idp\/saml2\/idp\/metadata.php?output=xhtml<\/a><\/pre>\n<h2>Registration and obligations<\/h2>\n<p>If you&#8217;d like to federate via SAML2, please submit a Service Request to<br \/>\n<a href=\"mailto:helpdesk@kent.ac.uk\">helpdesk@kent.ac.uk<\/a> with the following details:<\/p>\n<ol>\n<li>SAML2 XML Metadata for the <em>Service Provider<\/em> (SP). Please note the following restrictions:\n<ul>\n<li>Your EntityID must conform to the <a href=\"http:\/\/www.ukfederation.org.uk\/content\/Documents\/EntityIDPolicy\">UK Access Management Federation&#8217;s policy<\/a> on naming<\/li>\n<li>Your SAML2 endpoints must be fully qualified DNS names rather than, for example, <tt>localhost<\/tt> or <tt>192.168.1.5<\/tt><\/li>\n<\/ul>\n<\/li>\n<li>Technical contact(s)<\/li>\n<li>Kent staff member to act as sponsor (normally project supervisor)<\/li>\n<li>A descriptive name for the service<\/li>\n<\/ol>\n<p>A <em>consent<\/em> page will be enabled asking the user to confirm that they<br \/>\nare happy for their information to be transferred to your SP. Users will<br \/>\nbe able to have their decision &#8220;remembered&#8221;.<\/p>\n<p>Attribute data transferred as part of the SAML2 protocol may be subject to, among other things, the provisions of the <a href=\"https:\/\/ico.org.uk\/for-organisations\/guide-to-data-protection\/data-protection-principles\/\">Data Protection Act 1998<\/a><br \/>\nand should be processed and stored accordingly. Please consult your supervisor in the first instance if you have any queries about this.<\/p>\n<h2>Technical details<\/h2>\n<p>Attributes transferred during a SAML2 conversation will, where possible, be<br \/>\nnamed using the <code>urn:oid<\/code> namespace. For instance, a person&#8217;s username will<br \/>\nhave the attribute name <code>urn:oid:0.9.2342.19200300.100.1.1<\/code>.<\/p>\n<p>You are expected to implement and\/or support <em>LogoutRequests<\/em> from the IDP<br \/>\nand honour any <em>Conditions<\/em>\u00a0imposed on session length imposed by the<br \/>\n<em>Assertion.<\/em><\/p>\n<p>While the IDP handles the <em>Authentication\u00a0<\/em>(AuthN) process, the role of<br \/>\n<em>Authorisation<\/em> (AuthZ) sits with the SP. You should request suitable<br \/>\nattributes to be able to make an authorization decision appropriate for your<br \/>\nservice. For example, you will probably want to limit access to only a<br \/>\nsubset of the values of the <code>unikentaccountType<\/code> attribute to exclude<br \/>\nAlumni, visitors etc.<\/p>\n<h2>Annual review<\/h2>\n<p>Registrations made under this policy\u00a0will be reviewed in July each year<br \/>\nwhen the technical contacts and sponsor will be contacted to confirm the<br \/>\nregistration is still required. Registrations no longer required will be revoked on or shortly after 1st September each year.<\/p>\n<h2>Further details<\/h2>\n<p>If you&#8217;re a student with the School of Computing then their RAPTOR service has a simple integration with Single Sign On available already and may provide what you&#8217;re looking for. Details available at <a href=\"https:\/\/raptor.kent.ac.uk\/#authentication\">raptor.kent.ac.uk<\/a>.<\/p>\n<p>If you have any questions about the process or how SSO and\/or SAML2 in general should be used at the University then please contact <a href=\"mailto:helpdesk@kent.ac.uk\">helpdesk@kent.ac.uk<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This policy describes the service available and the conditions of use for projects being created as part of an academic programme of study at the &hellip; <a href=\"https:\/\/blogs.kent.ac.uk\/unseenit\/registration-policy-for-student-projects-using-single-sign-on\/\">Read&nbsp;more<\/a><\/p>\n","protected":false},"author":13,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"_links":{"self":[{"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/pages\/295"}],"collection":[{"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/comments?post=295"}],"version-history":[{"count":10,"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/pages\/295\/revisions"}],"predecessor-version":[{"id":424,"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/pages\/295\/revisions\/424"}],"wp:attachment":[{"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/media?parent=295"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}