Using the Single Sign On feature of Support Server

Download as PDFDownload as PDF

Published 19/08/2024

Contents

  • Introduction
  • Prerequisities
  • Instructions
  • After SSO Login
  • Difficulties

Introduction

A single sign on (SSO) function for eduroam Support Server has been developed. Currently this works with the UKAMF so to take advantage your organisation does need to be a member of that federation and have a Shibboleth, OpenAthens etc SAML IdP. The SSO feature is an enhancement to the classic login mechanism, and you need to enable it after normal login through your user settings.

If your organisation does not support SSO you can still use the classic logon mechanism.

The SSO feature means that you can enjoy the benefits of single password federated access, and your organisation assumes the responsibility for your authentication – which may include multi-factor authentication and consequent security benefit.

Single Sign On Pre-requisites

Before attempting to use the SSO feature, check that your organisation releases the right attributes first by visiting the SAML Viewer at URL https://support.eduroam.uk/saml/viewer

This will use Shibboleth to log you into the viewer. Check that the ‘Released user attributes’ section is not empty. If it is, please take a screenshot of the viewer page and provide this to the team in your organisation who manage your OpenAthens or Shibboleth IdP, and ask them to provide one or more of the required attributes.

The eduroam Support Portal service is part of the Research & Scholarship entity category, so if your service is set up to release required attributes to that category, you should be set to go.

If the section shows several attributes, read on!

Single Sign On Instructions

To use SSO you must first configure your Support Server account on Support Server to use SSO.

1) Log in normally via https://support.eduroam.uk/login by clicking on the [Sign in] button, do NOT click on the [SSO Sign in] button on your first visit (this will work after you have completed the setup process).

If you do click on [SSO Sign in] button when your account has not been linked to SSO you will get an 'Authentication failed' error message. If this happens you MUST return to the login page, URL https://support.eduroam.uk/login 

2) Once you have logged in normally, in the top right of your screen, click on the person icon and click on 'User settings'

The new User Settings page/panel contains the MFA and SSO settings box. 

When you are logged in normally, without SSO, you'll see that the MFA and SSO settings status are 'no'

3) In the SSO attribute details box, click on the [Log into SSO] button.

The button will then change to [Link SSO]

4) Click on the [Link SSO] button.

You will then be taken to the Support Server start page i.e. the Status overview page for the organisation your account is linked to.

https://support.eduroam.uk/monitor

You have now logged in using SSO

After SSO Login

After logging in you can check your SSO status by going to your User Settings.

You will see that the attributes provided by your organisation's SSO IdP to the Support Server SSO SP are now displayed.

Click [Close] to exit the user settings page.

PS - do NOT use the 'eduroam' link in the top heading bar as it will take you to the production Support Server.

You will be able to Logout of Support Server (if you want to) but note that the Jisc SSO will be retaining the authorised status of your sign in to Support Server - so you can log straight back in using the [SSO Sign in] button on the login page https://support.eduroam.uk/login

Experiencing difficulties?

If in the process of trying to log in you ever find yourself at a sub-page of https://support.eduroam.uk e.g. https://support.eduroam.uk/saml/login?return_url= 

or 

https://support.eduroam.uk/saml/login?return_url=%2Fmonitor 

and you hit return you will get a 'Failed to store session cookie' error message or 'Authentication failed' error message and you won't be able to do anything. You MUST go to the URL https://support.eduroam.uk or https://support.eduroam.uk/login for things to work.