Page tree
Skip to end of metadata
Go to start of metadata

Much of the information you are likely looking for will be located in our Services section, which provides details about our core services and associated Service Level Agreements. You can also search this wiki for the information you need.


The University of California, San Francisco Identity and Access Management team provides documentation on supported services and on how to utilize them.  They also maintain the MyAccess authentication and online campus directory services.  Please visit the Services section of this website for a complete list of services.

During your application selection or development phase, direct your questions and report problems to the ITS Identity and Access Management team at

Integrating Your Application with MyAccess, the UCSF Single Sign-On Solution

If you are buying a third-party application

Please be sure to consult with the vendor about integration with MyAccess before you sign a contract. The MyAccess single-sign-on system is designed around the Security Assertion Markup Language (SAML) which is implemented using version 2.3.8 of the Shibboleth Identity Provider (IdP).  MyAccess integration can be lengthy and time-consuming, and you will want the vendor to share in that cost.

If you are building your own application

Please be sure to go through the MyAccess Integration ToolKit.  For a quick overview of how SAML works and what our integration process is, check out the short "How It Works: MyAccess, SAML and Shibboleth" article.

UCSF Identity and Access Management Terms of Service

All applications which integrate with MyAccess must review and agree to the Responsibilities and Agreement.

Authentication and Authorization

The MyAccess system only provides authentication services.  It also provides any necessary information to your application about an authenticated user so that the application can determine whether the user should be authorized to gain access.  Remember that authentication merely verifies an individual's digital identity. Your application must determine whether or not to authorize a user to access your application.


Identity and Access Management Test Services

The IAM team offers a staging (test) Shibboleth environment and is in the process of setting up a test Enterprise Directory Service.  Before putting your application into full production and integrating it into the production MyAccess SSO system, you'll want to test your applications against the staging environments. We conduct periodic maintenance on our test systems. When upgrades may impact your MyAccess integrations, we will give you adequate time to test your integration before we upgrade production services.


Operational Support

Once your application is in production, if you or your users encounter problems accessing your application and you believe the problem to be related to either Shibboleth or the Enterprise Directory Service, let us know using one of the below methods.

Be sure to classify the problem as follows.

  • Application is unable to access Shibboleth. OR
  • Application is unable to access EDS. OR
  • EDS is returning incorrect or unexpected data.


Other Questions or Comments

If you just have a question or comment related to Identity and Access Management, feel free to send an email to



  • No labels