InCommon federation Single Sign On (SSO)

InCommon is an identity management federation operator for U.S. education and research institutions. It provides a common framework for trusted shared management to access online resources. InCommon uses SAML-based authentication and authorization systems for scalability and trusted collaborations among its community of participants.

Users are able to access federation services using a single user account and password. Affiliated users can employ the user IDs assigned to them by their home universities to access and use numerous services instead of having to maintain and use different account.

miniOrange providers Single Sign On solution with InCommon Federation on your Wordpress site. Using this, your site can be integrated with InCommon Federation and your users will be able to access your site using their InCommon registered institution's credentials.

How miniOrange SAML 2.0 Single Sign-On Plugin works with Incommon Federation?
incommon federation sso architecture diagram
Our Plugin works in this way:
  1. First, the user clicks on Login with InCommon button. This will redirect them to InCommon's discovery service, using which the users can select their home institutions.
  2. The discovery service sends some information to the plugin(This info is used by the plugin to identify which Institution was selected by the user).
  3. The plugin creates a SAML Authentication request and sends it to the Identity Provider associated with the selected institution.
  4. The user can see their institution's login page. After successful authentication with their institution, the user gets redirected and logged in to the Wordpress website.

Pre-Requisites:

  • In the my.cnf/my.ini file of your server, increase the max_allowed_packet value such that it would be more than the size of the metadata file. (Since the inCommon IDP-only metadata file is of 26M, you can set the max_allowed_packet value to 30M)
  • For large metadata files(greater than 2M), use the metadata URL. File upload for large files won’t work.

Steps to configure the plugin

  • After activating the plugin with your license key, go to the Service Provider Setup tab.
  • Click on Upload Multiple IDPs button to upload multiple IDPs from a single metadata file.
  • Upload Multiple IDPs
  • You can choose either a file or and URL to upload the metadata.
  • NOTE: For large files, use the metadata URL. For updating the inCommon metadata file, copy the following link in the Enter Metadata URL text box and click on Fetch Metadata button. Download the metadata from here.

    enter metadata url
  • For large metadata files, the upload process may take some time. After successful completion of the upload process, you should be able to see all the IDPs listed.
  • IDPs listed
  • Now, upon accessing the Wordpress login page, you should see the Login with InCommon button.
  • Login with Incommon button
  • You need to provide the miniorange entityID to the InCommon discovery service so that the discovery service can recognize the requests coming from the miniOrange plugin. The entityID for the miniOrange plugin can be found in the Service Provider Metadata tab of the plugin.
  • You can provide the SP metadata to the InCommon discovery service which can be downloaded from the metadata URL given in Service Provider Metadata tab.
  • SP metadata to the Incommon discovery service
  • After this, your users will be able to login to your site with their respective universities using the miniOrange plugin.

Attribute / Role Mapping

  • Using the Attribute/Role Mapping tab, you can assign different roles to different users and also map their attributes received from the IDP.
  • You can configure IDP specific mapping as well as IDP-wide mapping using the Default Mapping option.
  • sso attribute mapping sso role mapping

InCommon Federation - SSO Authentication Flow

  • After configuring the plugin, you should see the Login with InCommon button on the WordPress login page. Click on this button to redirect to the inCommon discovery service.
  • sso incommon federation
  • From the inCommon discovery service, select your home institution and click on next button.
  • incommon federation
  • You will be redirected to the selected institution's login page for authentication.
  • After successful authentication, you will be redirected and logged in to the wordpress site.

Related Articles

WordPress SAML Plugin
InCommon Federation Basics
InCommon Federation

Free Trial

If you don't find what you are looking for, please contact us at info@miniorange.com or call us at +1 978 658 9387 to find an answer to your question about InCommon Federation.