Page tree
Skip to end of metadata
Go to start of metadata

Before you begin, please read the Responsibilities and Agreement. By integrating your application with the MyAccess SSO system, you agree to that agreement.

If you're planning to use SAML SSO, you'll want to go through the brief "How It Works: MyAccess, SAML and Shibboleth" article first.

SAML SSO Integration Steps

  1. Install a SAML SP.  There are a number of SAML compatible Service Provider solutions.  Most require that the software be installed on the same web server that hosts your application.  We recommend either the Shibboleth SP or SimpleSAMLphp solutions.

    IMPORTANT: If you're application is a SaaS or "cloud" service such as Salesforce, Workfront, Box, etc, you can't install any SP software.  So be sure to ask your application service provider if it supports SAML2 single-sign-on.  If it doesn't, you cannot integrate the application with the MyAccess SSO system.
     
  2. Configure the SP.  Initially, you'll need to configure it to use the UCSF MyAccess staging Identity Provider (IdP).  Why use the staging IdP first?  Because it allows for more rapid testing and modifications on the IdP since it can be reconfigured during normal business hours, unlike the production IdP environment.
  3. Complete the MyAccess Integration Request form.  This form asks for information required by the Identity and Access Management team in order to configure the staging and production IdP environments.
  4. The Identity and Access Management (IAM) team will configure the MyAccess staging IdP to work with your SP.
  5. Once you receive notice from the IAM team that the staging IdP is configured, test your SP and application to verify MyAccess login works in the staging environment.
  6. Respond to the IAM team member confirming success in the staging IdP environment and request that the configuration can be copied into production.
  7. The IAM team member will schedule the staging IdP configuration for deployment into the MyAccess production IdP environment during the next maintenance window (see this document for maintenance window times).
  8. Once you receive notice from the IAM team that the production IdP is configured, reconfigure your SP to use the UCSF MyAccess production IdP.  Test your SP and application to confirm proper operation in production.
  9. Respond to the IAM team member confirming success in the production IdP environment.

CAS Integrations

  1. Install or enable a CAS client on your application server. There are a number of CAS clients available. Check this list for a few of the most common ones.
  2. Configure a CAS Service. Initially, you'll want to configure it to use the UCSF MyAccess staging Identity Provider (IdP) which is the CAS server for UCSF.  Why use the staging CAS server first?  Because it allows for more rapid testing and modifications on the CAS server (if needed) since it can be reconfigured during normal business hours, unlike the production CAS server environment.
  3. If you need additional CAS attributes or have specific application requirements, complete the MyAccess Integration Request form.  If you submit a MyAccess Integration Request form, you'll also need to go through the additional steps below.
    1. The Identity and Access Management (IAM) team will configure the MyAccess staging CAS server to work with your CAS service.
    2. Once you receive notice from the IAM team that the staging CAS server is configured, test your CAS service and application to verify MyAccess login works in the staging environment.
    3. Respond to the IAM team member confirming success in the staging CAS server environment and request that the configuration can be copied into production.
    4. The IAM team member will schedule the staging CAS server configuration for deployment into the MyAccess production CAS server environment during the next maintenance window (see this document for maintenance window times).
    5. Once you receive notice from the IAM team that the production CAS server is configured, reconfigure your CAS client to use the UCSF MyAccess production CAS server.  Test your CAS service and application to confirm proper operation in production.
    6. Respond to the IAM team member confirming success in the production CAS server environment.
  4. If no additional CAS attributes are needed, simply configure the CAS service to use the production CAS server environment.

Additional Information

Need more information?  Here are some additional articles to help with your SSO integration.

  • No labels