Much of the information you are likely looking for will be located in our Services section, which provides details about our core services and associated Service Level Agreements. You can also search this wiki for the information you need.
The University of California, San Francisco Identity and Access Management team provides documentation on supported services and on how to utilize them. They also maintain the MyAccess authentication and online campus directory services. Please visit the Services section of this website for a complete list of services.
During your application selection or development phase, direct your questions and report problems to the ITS Identity and Access Management team at firstname.lastname@example.org.
Integrating Your Application with MyAccess, the UCSF Single Sign-On Solution
If you are buying a third-party application
Please be sure to consult with the vendor about integration with MyAccess before you sign a contract. The MyAccess single-sign-on system is designed around the Security Assertion Markup Language (SAML) which is implemented using version 2.3.8 of the Shibboleth Identity Provider (IdP). MyAccess integration can be lengthy and time-consuming, and you will want the vendor to share in that cost.
If you are building your own application
Please be sure to go through the MyAccess Integration ToolKit. For a quick overview of how SAML works and what our integration process is, check out the short "How It Works: MyAccess, SAML and Shibboleth" article.
UCSF Identity and Access Management Terms of Service
All applications which integrate with MyAccess must review and agree to the Responsibilities and Agreement.
Authentication and Authorization
The MyAccess system only provides authentication services. It also provides any necessary information to your application about an authenticated user so that the application can determine whether the user should be authorized to gain access. Remember that authentication merely verifies an individual's digital identity. Your application must determine whether or not to authorize a user to access your application.
Identity and Access Management Test Services
The IAM team offers a staging (test) Shibboleth environment and is in the process of setting up a test Enterprise Directory Service. Before putting your application into full production and integrating it into the production MyAccess SSO system, you'll want to test your applications against the staging environments. We conduct periodic maintenance on our test systems. When upgrades may impact your MyAccess integrations, we will give you adequate time to test your integration before we upgrade production services.
Once your application is in production, if you or your users encounter problems accessing your application and you believe the problem to be related to either Shibboleth or the Enterprise Directory Service, let us know using one of the below methods.
- Call the IT Service Desk at (415) 514-4100
- Create a new ServiceNow Incident (MyAccess login required)
Be sure to classify the problem as follows.
- Application is unable to access Shibboleth. OR
- Application is unable to access EDS. OR
- EDS is returning incorrect or unexpected data.
Other Questions or Comments
If you just have a question or comment related to Identity and Access Management, feel free to send an email to IAM-Team@ucsf.edu.