Importantly, not every application can, or should be integrated with the MyAccess login system. In particular, if your application does not have a web interface, you would not want to use the MyAccess login system. Development time and resources would be better invested in an integration with Active Directory rather than in the web-only MyAccess login system. That being said, many mobile platform application use an embedded web browser for the sole purpose of SAML-based SSO. When a user opens the application and attempts to access a "cloud-based" resource, the application presents it's embedded web browser and follows steps 1 through 8 in the above SAML Transaction Steps illustration before returning the user to the native application interface after step 8. This has become a popular solution among Software as a Service (SaaS) vendors, especially those who frequently work with higher education institutions and large corporations.
If your application is appropriate for a MyAccess login system integration, here's a high-level overview of the technical steps required to integrate your application.
- Install a SAML SP. There are a number of SAML compatible Service Provider solutions. Most require that the software be installed on the same web server that hosts your application. We recommend either the Shibboleth SP or SimpleSAMLphp solutions.
IMPORTANT: If you're application is a SaaS or "cloud" service such as Salesforce, Workfront, Box, etc, you can't install any SP software. So be sure to ask your application service provider if it supports SAML2 single-sign-on. If it doesn't, you cannot integrate the application with the MyAccess SSO system.
- Configure the SP. Initially, you'll need to configure it to use the UCSF MyAccess staging Identity Provider (IdP). This allows for more rapid testing and modifications on the IdP since it can be reconfigured during normal business hours, unlike the production IdP environment.
- Complete the MyAccess Integration Request form. This form asks for information required by the Identity and Access Management team in order to configure the staging and production IdP environments.
- The Identity and Access Management (IAM) team will configure the MyAccess staging IdP to work with your SP.
- Once you receive notice from the IAM team that the staging IdP is configured, test your SP and application to verify MyAccess login works in the staging environment.
- Respond to the IAM team member confirming success in the staging IdP environment and request that the configuration be placed into production.
- The IAM team member will schedule the staging IdP configuration for deployment into the MyAccess production IdP environment during the next maintenance window (see this document for maintenance window times).
- Once you receive notice from the IAM team that the production IdP is configured, configure your SP to use the UCSF MyAccess production IdP. Test your SP and application to confirm proper operation in production.
- Respond to the IAM team member confirming success in the production IdP environment.