UCI Single Sign-On Project
Quicklink(s)
In early 2024, the Office of Information Technology (OIT) retired its legacy UCI Single Sign-On (SSO) service WebAuth, in favor of a standards-based (SAML) service called Shibboleth.
Why use Single Sign-on?
Using Single Sign-on (SSO) provides many benefits including:
- One trusted login page
- Passwords are not passed through application code or 3rd party applications
- Access is synced with a central identity management system
- Security controls like Duo are automatically inherited
- Account monitoring and abuse detection is centralized
Current SSO Solutions
Currently, both WebAuth and Shibboleth servers are intertwined and enable users to access various online services at UCI Without having to sign in multiple times.
- WebAuth – WebAuth is a homegrown solution created at UCI in the 1990s. It has been widely adopted on campus in mostly homegrown applications.
- Shibboleth – Shibboleth is a web-based Single Sign-on infrastructure. It is based on SAML, a standard for the exchange of authentication data. Shibboleth has been adopted by the University of California as the basis for federated Single Sign-on between the UC campuses.
What is Changing
We will be retiring WebAuth and moving exclusively to Shibboleth, a standards-based solution. This change allows UCI easier integration with vendors/3rd parties, can potentially reduce application development overhead and is also widely supported in Higher Education. This will allow for more research and collaboration opportunities with other Universities.
How Do I Migrate?
We generally categorize application migrations into two categories: Home Grown Applications and Vendor/SaaS solutions. The UCI SSO service leverages the SAML specification and as long as your application can communicate via SAML integration should be possible.
Information about the migration can be found at the IAMDOCS Wiki. If you do not have access, please submit a “Confluence – General User” KSAMS role for yourself.
Home Grown Applications
Typically, we recommend home grown applications to install the Shibboleth Service Provider (SP). The SP will handle all the SAML communications on your applications behalf and will deliver environment variables about the user after login. However, there are also plenty of 3rd party libraries that implement SAML, like Spring, SimpleSAMLphp, SustainSys, OneLogin and etc.
Below are some useful links to the IAMDOCS wiki that might help with your SP based migration.
- Shibboleth SP Configuration Guide
- Shibboleth/SAML – Planning Guide
- Migrating to Shibboleth SP vs. Alternatives
Vendor/SaaS
Typically most vendor and SaaS solutions already have implemented SAML or have SAML plugins. We have many vendor applications that we’ve already integrated.
If your vendor SaaS solution offers SAML support, please see the Shibboleth IdP Common Configuration Values to help assist with your configuration.
Other Resources
The IAM Team and other UCI Community Members have also created an IAM Community Repo that has sample code, pre-configured files, etc. that may help in your migration.
Need Help?
If you would like assistance or a more in-depth walkthrough, please email oit@uci.edu, and someone from the Identity & Access Management Team can reach out and schedule a meeting.
Goals
- Retire WebAuth SSO
- Provide a secure, standards-based solution using Shibboleth SSO to provide easier integration with vendor/3rd party applications and other UC campuses.
Deliverables
- Migrate campus WebAuth enabled applications to Shibboleth
- Retire WebAuth SSO
Milestones
2020
- Q1 2020 – Project Start: Develop High-Level Plan
- Q3 2020 – Start Migration Phase: Early Adopters/Grassroots
2021
- Q1 2021 – IAM Preparation Phase
- Q4 2021 – Accelerate Migration Phase
2022
- Q3 2022 – Begin Development of Shibboleth Decoupled Code Base
2023
- Q1 2023
- Decouple Shibboleth & WebAuth – Early March 2023
- Q4 2023
- Complete Migration of all Apps – End of 2023
2024
- Q1 2024
- Shut down WebAuth – Mid Jan 2024
- Project Complete – Feb 2024
Project Status
- Percentage Complete 100%
Project Phase
Closed
Communities Affected
- UCI Campus
- College of Health Sciences
Start Date
Quarter 1 2020
Projected Completion Date
February 2024
Key Stakeholders
- Client: Campus Web Developers and Campus Users
- Sponsor: Josh Drummond
- Project Manager: Roger Vuong and Warren Leung
Client Support
Frequently Asked Questions
Hidden toggle
Hide the first one.
Will there be a difference for people when they log in?
For most general end users, there should be no difference in everyday sign-in attempts. You will still see the same look and feel as the current UCI Single Sign-on Page. However, some links may be going away.
WebAuth? Shibboleth? What is the difference?
The UCI Single Sign-on Service (SSO) is comprised of two services called WebAuth and Shibboleth that work together to provide a seamless SSO experience on campus. WebAuth is a homegrown service and integrating with vendor applications and SaaS solutions has been difficult or impossible. It was decided in 2020 that we will move to Shibboleth only. This will also allow us to reduce the operational overhead of maintaining two services.
What are some benefits of moving to Shibboleth?
Below are some benefits of moving
- Standards-based – Easier to integrate with other parties (especially vendors)
- Simpler and easier to maintain OIT Service Portfolio
- Widely adopted in Higher Education and Commercial Space
- Federation Support
- More Data delivered to your application
- SAML is UC’s recommended protocol for cross-campus authentication
- Potential support in the future for OIDC and passwordless authentication
How do I migrate an application from using WebAuth to Shibboleth?
The IAM team has created support documentation and how-tos for the migration.
- Please visit https://uci.atlassian.net/wiki/spaces/IAMDOCS/overview for more details.
If you need access please submit a KSAMS role for Confluence – General User - We also have sample code and updated WebAuth-based repos at https://github.oit.uci.edu/iam-community/
(UCI GitHub requires connecting from on-campus or using the VPN.)
How long does it take to migrate an application?
This will vary depending on your experience and the complexity of your application. We generally advise technical teams that migrating the first application will take about 40-80 hours. Any subsequent applications should be significantly easier and take less time.