Checklist for Joint Web Login
Uppsala University's Joint Web Login service is mainly used to enable staff and students to easily log in to a large number of central services, and to prevent unauthorized access to these.
The Joint Web Login service is also available for use in services/products purchased within the organisation. If your organisation is interested in using the Joint Web Login service for your own service/product, a checklist is provided below with a number of initial questions. Once you have answered the questions, you can proceed with your contact at the provider of your service/product.
Step 1: Information needs for your service
- What information does your service require?
Find out what information about the user your service needs for login. This could be information such as user ID, first name, surname, display name and email address. The information required by the Joint Web Login service is specified in the technical configuration. Information that your service requires is something you will need to find out from e.g. the developers of your service. - Who should be able to log in to your service?
Decide whether the service should only accept logins from users at Uppsala University or whether there is also a need to allow users at other higher education institutions to log in to the service (referred to as Discovery Service (DS)).
If the answers to the above questions are 1) only user ID and 2) only users at Uppsala University, it is possible to use CAS instead of SAML 2.0. Read more about CAS here.
Step 2: Check with the provider
- Does your service support Single Sign On?
Check with the provider of your service regarding the support available for Single Sign On (SSO) with SAML 2.0.
a) Is the service capable of reading a username in some way?
b) Is there built-in support for SSO with SAML 2.0, or does the web server in front of the service have to handle this? - Does your service use Discovery Service?
If the service is to receive logins from users at other higher education institutions and has built-in support for SAML 2.0, check that this support explicitly includes Discovery Service (DS). This requires that there is a specific URL that can receive the user – with information about the actual login server (IdP) to be used – when the user selects an institution. - Is a data processor agreement needed?
Contact the e-administration coordinator IT (EkIT) for the Digital Identity e-area (see Organisation and roles –> e-area staffing) to formally allow the service to receive the desired information about users at login. For services operated by an external party, a data processing agreement may be required, and must be in place before work can proceed; see the EU General Data Processing Regulation (GDPR) and personal data processors. The person responsible for the service can consult the Legal Affairs Division if necessary.
Next step: Technical configuration
If EkIT approves the connection and gives permission to activate the Joint Web Login service for your service, you can contact your service provider with information on the next step – technical configuration.
__________________________________________
If you have any questions, please contact IT Support.