Introduction
The Career Center is the new online Career platform of your university. It’s a website where students can find information about firms, find internship and job offers. To allow a targeted population to access the Career Center, Jobteaser supports multiple SSO integration. Using a SSO integration means that your authentification server authorizes the student to use Jobteaser.
Integration SSO Shibboleth
Description
Shibboleth is a single sign-on (log-in) system for computer networks and the Internet. It allows people to sign in using just one identity to various systems run by federations of different organisations or institutions. The federations are often universities or public service organizations. Historically the Shibboleth and SAML protocols were developed during the same timeframe. From the beginning, Shibboleth was based on SAML, but where SAML was found lacking, Shibboleth improvised. Basically, the Shibboleth developers implemented features that compensated for missing features in SAML 1.1. Some of these features were later incorporated into SAML 2.0, and in that sense, Shibboleth contributed to the evolution of the SAML protocol.
The following documentation is relatively similar to the SAML documentation. However, some points are specific to the Shibboleth configurations the SAML one
+------------+ +------------+ +-----------+
| Service | | Student | | Auth |
| Provider | | | | Server |
+------------+ +------------+ +-----------+
| | |
| <- request resource --| |
| -- redirect to IDP -->| |
| | |
| |----- request IDP ---->|
| |<-- Get SAML payload --|
| | |
|<-- send SAML payload --| |
| redirect to resource ->| |
Configuration of your platform
Here are the details needed for the implementation on your side:
- Issuer URL: https://university-permalink.jobteaser.com/users/auth/university_permalink_shibboleth/metadata
- Callback URL: https://university-permalink.jobteaser.com/users/auth/university_permalink_shibboleth/callback
- Sign-in URL: https://university-permalink.jobteaser.com/
Note : the permalink is the subdomain used to access to your Career Center.
Technical Environments
The following IP addresses have to be authorized to request your authentication server:
- Development: 84.14.204.224 to 84.14.204.239
- Production: 34.247.150.89, 52.48.69.13 and 34.242.136.182
- Pre Production: 34.248.34.73, 52.209.6.99 and 52.31.86.10
Jobteaser Configuration
Requirements
- URL of the SAML metadata of your IDentity Provider (IDP).
- Test user account for end-to-end validation.
- NameID must have a persistent format and must not be an email.
User attributes
User attributes that must be included to the integration are:
| FriendlyName | Name | NameFormat |
|---|---|---|
| urn:oid:0.9.2342.19200300.100.1.3 | urn:oasis:names:tc:SAML:2.0:attrname-format:uri | |
| givenName | urn:oid:2.5.4.42 | urn:oasis:names:tc:SAML:2.0:attrname-format:uri |
| sn | urn:oid:2.5.4.4 | urn:oasis:names:tc:SAML:2.0:attrname-format:uri |
Note: The NameID attributes a unique key (uid) that allows Jobteaser to identify the user. This attribute is included by SAML protocol, so it’s not necessary to add it to the user attributes
Example :
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_6a594969-3bb5-4cb5-b282-a3bbef28596f" Version="2.0" IssueInstant="2017-09-26T13:36:11.599Z" Destination="https://university-test.jobteaser.com/users/auth/university_test_shibboleth/callback" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_89a8d0d0-84ed-0135-a6ff-784f4377ec3a">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://university-test.com/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_f7f62832-87a9-4e4d-84c4-b32896426771" IssueInstant="2017-09-26T13:36:11.598Z" Version="2.0">
<Issuer>http://university-test.com/adfs.luiss.it/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_f7f62832-87a9-4e4d-84c4-b32896426771">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>xLPchzLCcPyeg5f+b86alx/5qF/vfWL1rOcM3CMwa5o=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>BnxIWEu5z3vrIJSINwi2yVJdXNOW4aHNevOYh7C+Z/6k4wpnER2Yrq8p3ZwFYQrQzj1JpubLNLVnf5k1TIbyFDiRyPTn049Fw0vE/6Mr8ymwnqysA4yp9nfm7s3bIiEf9C2rErNaHtAb1CyAeFrus1MqdBy5RhiXLPSSzcq4SPy+y+bsONZcfBhcvm4CGRLviye737arxf+KI4bKLzWRdwc1Inx5IlH1BJnFS7c9fJ+5xTjtF/N670VXo2/RMTA3lv3T93e7Mvu0/MnPCbNgvjekCFdqjMZc02y5YPgXZMnPtNmV4zfAGxmILipmleZWudzkepgmdOAvJrawLVjU/A==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC1jCCAb6gAwIBAgIQYiu3Ar7taK5J5cwduzsPVjANBgkqhkiG9w0BAQsFADAnMSUwIwYDVQQDExxBREZTIFNpZ25pbmcgLSBhZGZzLmx1aXNzLml0MB4XDTE3MDEyODIxMDg0OFoXDTE4MDEyODIxMDg0OFowJzElMCMGA1UEAxMcQURGUyBTaWduaW5nIC0gYWRmcy5sdWlzcy5pdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMaAMMC+osNrNe58H6vWChnWa221XWeZGCnB9U4ItYzxkcj1OaHKRDZu+WxkIj7riQVecodA/CXLTeVbvVdMLxAytbXNz1GgFl+LSkVLlA1MxiErcEQsrekdt5eMAcj1HabflwcL2rJzXXjMn+jcRr4MYmzWnrWHr2dFU8AuxMNu49C6TeSJMFx5bAMA7I+qZbO/CqPcksRsIKNTrHaKhAM1aT6674Y+TmkQd3Hc/t6MyyJKTn7D+DG2fGZNu2Ig1zHdjV206Tq24TXRwr+2hRWxtbkwFxbxBQtXwGyVDvf+mrN+0+v7i909bnFqwnLbnWgQKI9X1FiEtmUxutXHp20CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcCoUFgrNvNrLPzCvTPczAVQqoEccLEyV0LGv/xj4eXiNOW7AiJoi17aqQmdAFqal3Jkz8aPj7CkD1rZ81S5VZ1NYO5k0NYyoUQH0UKz2JpITmAstg5FCTzChxI59ZPfpLcA3JsJUwQOYqdRTbZichyJvVvApkkeyIAAIqtV3liMGQknbKHAhhrEdS8X/0ARO8j037gt1ItWmLs49Px8Mc4jR3oeu+VUsGKm5Brpq0JcAoXCSOQd0WCsGhD/BaUZaKu7HF1gHt2TiLkkO3qBUq6KsN8aiKoTt3kN81NrPNLgqQ4VPWOK/ZbP8rud8lNGT5cR1wKI3Pji2tfRvRQ5d4A==</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">YT8kKonm3A5sVMOcvWjavJBhi</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="_89a8d0d0-84ed-0135-a6ff-784f4377ec3a" NotOnOrAfter="2017-09-26T13:41:11.599Z" Recipient="https://university-test.com/users/auth/university_test_shibboleth/callback" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2017-09-26T13:36:09.087Z" NotOnOrAfter="2017-09-26T14:36:09.087Z">
<AudienceRestriction>
<Audience>https://university-test.com/users/auth/university_test_shibboleth/metadata</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>john.doe@university-test.com</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>Doe</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>John</saml2:AttributeValue>
</saml2:Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2017-09-26T13:36:09.022Z" SessionIndex="_f7f62832-87a9-4e4d-84c4-b32896426771">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
Comments
Please sign in to leave a comment.