Automatically Sign in From Your Own Website
Use Get Connected's Single Sign-on (SSO) feature to sign in to your Get Connected site from your school or business website. Our SSO confirms that a user has been authenticated in your own system before allowing them to access Get Connected as an authenticated user. This means the user is allowed to access your Get Connected system without having to use independent login credentials.
Note: This feature should only be implemented by those who work with IT support. Contact firstname.lastname@example.org if you have any questions about whether this solution is right for you.
This article focuses on using Shibboleth to create Single Sign-on. SAML and for Active Director Federated Services (ADFS) follow the same steps. While JWT is the default method for SSO, Galaxy Digital has conducted a number of Shibboleth integrations. For help on LDAP integrations, click here to get the documentation.
Described below is a overview of how SSO works using this method:
- A user is directed to your system to log in.
- They log in.
- An encrypted payload is sent to the Connect site, and the payload is decrypted.
- We log the user in.
- If they have a profile, we log them in to their existing profile.
- If they do not have a profile, we create a profile, log them into it, and ask them to provide information not sent in the payload.
The following steps outline what needs to be completed by both Galaxy Digital and your IT staff in order to setup a Single Sign-on Integration with Shibboleth.
Galaxy Digital will create a CSR so the client can purchase and send to us an SSL certificate. This process begins by having the client fill out the CSR request form. Galaxy staff will then send it to the client so that they can create the SSL certificate and send the certificate back for installation.
If a custom domain is being used, that must be setup before an SSL can be generated and will result in additional cost. Please contact email@example.com to inquire about these costs. If a custom domain is not being used, this step can be skipped, and Galaxy Digital will use its own wildcard certificate instead.
Note: If your site is using a vanity domain (i.e. any domain other than the one created by Galaxy Digital when your site is created), there is a cost incurred by the client to set up the integration. Please reach out to firstname.lastname@example.org to inquire about this integration and the cost involved.
The client sends Galaxy a link to their public meta data information. The meta data must include the following:
$attr['emailKey'] = 'urn:oid:0.9.2342.19200300.100.1.3';
$attr['usernameKey'] = 'urn:oid:188.8.131.52.4.1.59184.108.40.206.6';
$attr['firstNameKey'] = 'urn:oid:220.127.116.11';
$attr['lastNameKey'] = 'urn:oid:18.104.22.168';
A unique identifier from your system (e.g. employee/student ID number) is optional. Clients who want to include this in the payload need to inform Galaxy Digital of what variable to use.
Note: Unless another unique identifier is provided, the system will examine the email address to determine if a user already has an account or needs one created for them. If one is provided, the system will instead attempt to find accounts with a matching alternative identifier before using email address.
Once we receive the SSL certificate, we add the load balancer and install the client’s SSL certificate for their selected domain. If a custom domain is not being used, this step can be skipped, and Galaxy Digital will use its own wildcard certificate instead.
Shibboleth is installed on the site by Galaxy Digital.
Galaxy staff provide the client with their meta data so the integration can be completed by the client's IT staff.
The connection is tested and troubleshooted as necessary.
Note: Providing test credentials to Galaxy staff can greatly expedite this process. Please consider creating a set of credentials with log in permission or giving access to an existing test account.
Galaxy staff notify the client that the process is compete and can be used by anyone who has permission to log into their system. Occasionally small, limited modifications to the process will be made at this point, such as changing the wording on buttons, where Galaxy is able.