SAML / Shibboleth Setup
Users can follow the steps below to implement and test SSO for their institution.
Note that Interfolio offers a Shibboleth-based Service Provider (SP) and is also a member of InCommon.
SAML/Shibboleth Setup
- Complete the online SSO & SFTP Setup Form, which will include this form.
- Ensure IT administrators have the Interfolio SP Metadata from InCommon
- Interfolio's entity ID is https://secure.interfolio.com/shibboleth-sp
- Ensure IT administrators are releasing the required attributes by the IdP (all attributes are required).
- Persistent ID
- Email
Unless otherwise specified the attributes are expected to be in one of the following name formats.
Note that if the attribute name is not fully qualified or released under the incorrect format, our Service Provider will ignore the attribute, and SSO login attempts will fail.
Mail Attribute
A mail attribute is the user’s email address. This is used to look up a user the first time they log in. After the first login, we will attach the Persistent Attribute above to our unique identifier, and all future logins will occur based on the Persistent Attribute.
Interfolio accepts one of the following:
- urn:mace:dir:attribute-def:mail
- urn:oid:0.9.2342.19200300.100.1.3
- interfolio:sso:attributes:mailbasic
- nameFormat:urn:oasis:names:tc:SAML:2.0:attrname-format:basicExample: Mail
<saml2:AttributeStatement> <saml2:Attribute Name="urn:mace:dir:attribute-def:mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >test@example.com</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement>
Example: Mail (alternative)
<saml2:AttributeStatement> <saml2:Attribute Name="interfolio:sso:attributes:mailbasic" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >test@example.com</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement>
Persistent Attribute
Persistent Attribute refers to the institution’s unique identifier for the user, and it is expected that it will never change for a given user or be assigned to a new user.
Note that you may encounter issues when attempting to use a persistent ID when the user's SSO ID has not been set.
Please compare the SSO ID entered into the Interfolio system to make sure it matches what you are sending us as the persistent ID.
The user's email should match the value that the IDP is sending for MAIL when the user logs in.
Interfolio accepts one of the following:
1. Name ID:
- urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
- urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
- interfolio:sso:attributes:nameidbasic
- nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basicExample: persistent-id
<sam12:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" >username</sam12:NameID>
2. EPPN
- urn:mace:dir:attribute-def:eduPersonPrincipalName
- urn:oid:1.3.6.1.4.1.5923.1.1.1.6Example: eppn
<sam12:AttributeStatement> <sam12:Attribute> Name="urn:mace:dir"attribute-def:eduPersonPrincipalName" NameFormat="urnoasis:names:tc:SAML:2.0:attrname-format:url"> <sam12:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >test@example.com</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement>
- Interfolio will send the test user the SSO link to test when ready
Users can initiate login in one of two ways:- A user who wants to authenticate with Interfolio via SSO clicks the Sign In link in the header of the Interfolio website, and continues to the Login to Interfolio through your institution link. The user will then see a list of partner institutions offering SSO to Interfolio, and will select their institution from the list. At this point, the user will be directed to their institution’s IdP for authentication. If the user is not authenticated by their institution, the process ends at that point. If the user is authenticated by their institution, then they are sent back to Interfolio with the required Shibboleth attributes associated with them.
- If the institution manages a portal within their environment they may add a link directly to Interfolio’s Shibboleth Service Provider. Interfolio’s SP will request the SSO attributes from the institution’s IdP and the process will continue as described below.
Whether the user initiates login via option one or option two, after the user has authenticated with the institution, they will be sent to Interfolio with the necessary SSO attributes. If the mail attribute matches an Interfolio user with a valid role, the user will be taken directly to their dashboard; otherwise, the user will see a message that their credentials do not match an existing Interfolio user. This can occur if:
- An account has not yet been set up for them in Interfolio
- The email address associated with the Interfolio account does not match the mail attribute being released from the IdP. This often occurs because the Interfolio account has an aliased email address. For example, jsmith@university.edu but the mail attribute is a fully qualified email address john.smith@university.edu.