What is single sign-on?
Single sign-on (SSO) is a form of identity and access management (IAM) that enables users to securely authenticate with multiple applications and websites by logging in only once, with just one set of credentials (username and password). With SSO, the application or website that the user is trying to access relies on a trusted third party to verify that users are who they say they are.
This means, that it is possible to give students access to the Career Center by using their institution's intranet or email credentials.
How does it work?
Authentication with SSO relies on a trust relationship between domains (websites). With single sign-on, this is what happens when you try to log in to an app or website:
- You enter the username/password that you use for accessing other parts of the institution.
- The SSO solution requests authentication from the identity provider or authentication system that your institution uses. It verifies your identity and notifies the SSO solution.
- The SSO solution passes authentication data to the website and returns you to that site. You are now able to enter the platform.
In SSO, authentication verification data takes the form of tokens.
This information is provided from https://www.onelogin.com/learn/how-single-sign-on-works (04/02/2020)
How is data security ensured with SSO?
After setting up an SSO connection, the student data is not automatically transferred from the institution's server (IDP) to the Career Center. Students must actively log in to the Career Center to provide JobTeaser with their data.
While doing so, no passwords are transmitted to JobTeaser. The authentication is done via the institution's server and their own login form. This form transmits the "ok" to the Career Center, that this person exists and is allowed to enter. Then, the necessary attributes first name, last name and email address are provided to the Career Center.
Sample registration form of the university network. Username and password remain stored on the university servers and are not transmitted to JobTeaser.
In the case of integration via a federation (e.g. eduGAIN), a login window is generated automatically, which displays the attributes to be transmitted and explicitly asks the users for their consent to the data transmission. The consent can also be withdrawn via this mask. When doing an independent integration without a federation, this window can be provided by the university itself if required.
In accordance with GDPR, all personal data of users who have not registered with the Career Center for 24 months are automatically deleted from the system.
How do we set it up?
To set up an SSO connection for your Career Center, we need to exchange information with your institution, especially your IT department. You need to be sure that an identity provider (IdP or IAM) exists in your institution. We support three types of protocols to connect to IdPs:
Please share this documentation with your IT department so they can prepare the setup accordingly.
To facilitate the exchange of the necessary information for the setup and ensure its completeness, please transmit it via this form. The first part is more for careers service staff, as it is dealing with the relevant persons of contact, the permalink (URL) you have agreed on with your JobTeaser person of contact, and wich user group should have access via the SSO connection. The second part deals with technical questions around your IdP/IDM.
If you have any questions when filling it out, please contact us.