It is common for schools to switch over to use a Single Sign On solution for Digication logins after a semester or more of usage. The same is true for the transition to using a nightly CSV sync (documented here: CSV import) This article addresses the issue of preserving access for the existing accounts at the time of the changeover.
The CSV sync and most SSO implementations all rely on a consistent, unique identifier for each user account referred to as "syncid" or "otherid" within Digication documentation. Google SSO relies on the "username" field for the same purpose. In order to convert existing accounts to work with a new implementation of SSO or import, all they will need changed is the relevant identifier field.
We provide direct support to schools undertaking this type of transition. Here is an outline of what we will need from you:
- Internally, determine the field that will be used as a permanent unique identifier
- (Shib/CAS only) Ensure that the field is configured to be released to us within the context of SSO.
- (All SSO) Work with Digication to get SSO working under a sandbox system.
- Download a list of your existing users from the Digication Admin under Administration > Statistics > Users.
- Create a 2 column CSV mapping the existing IDs to the new ID values (or mapping the existing email addresses to the new ID values).
- Send the file to Digication support (we will perform the update).
- (All SSO) Test SSO logging in under the real system (and auto-creation if enabled).
- Enable SSO/CSV import.
More about SyncIds
In the CSV import, this field must be provided in the syncid column
- When creating a user account
- When updating a user account (the user will be found for update based on this field)
Using the LDAP SSO implementation (or similar derivatives)
- The field should be returned along with the LDAP attributes for the user's account
- The script should be configured to look for the syncid value under the correct LDAP attribute for your implementation
- The user is found for login based on this field
- If auto-user-creation is enabled, the account is created within Digication with the value returned from LDAP (this allows a subsequent CSV import to find the account for update, and the SSO script to find the account for subsequent login requests
Using Shibboleth or CAS for SSO
- The field should be returned along with the other Shib/CAS attributes for the user's account
- The SSO configuration should indicate the correct attribute to look for (depending on which attribute you want to use)
- The user is found for login based on this field
- If auto-user-creation is enabled, the account is created within Digication with the value returned from Shib/CAS (this allows a subsequent CSV import to find the account for update, and the SSO script to find the account for subsequent login requests
Using Google for SSO
- The syncid field is not used for SSO through Google, and typically cannot be retrieved from Google at the creation of a user account (if auto-creation is being used). For this reason we recommend pre-creation of user accounts through CSV import in the cases where CSV import will be used in conjunction with Google for SSO.
- The username fieldISused to find the account for login under Google SSO. Schools implementing CSV import in conjunction with Google SSO will need to contact support to determine the correct format for the username field under your Google setup.
Comments
Please sign in to leave a comment.