The UGA Single Sign-On Service (UGA SSO) provides centralized authentication for University of Georgia applications using MyID credentials, with optional ArchPass two-step login powered by Duo. This service is managed by EITS (Enterprise Information Technology Services) and is built on the Apereo CAS platform.
UGA SSO enables secure, seamless access to multiple campus applications through a single login experience.
Each SSO-enabled service consists of:
- An authentication server (UGA SSO)
- An application client that redirects authentication requests to the server
UGA SSO supports three industry-standard protocols:
- CAS (Central Authentication Service)
- SAML 2.0 (Security Assertion Markup Language)
- OIDC (OpenID Connect), built on OAuth 2.0
Application clients are installed and maintained by individual campus units. While EITS provides support for the authentication server, client-side implementation is the responsibility of application administrators.
Note: EITS offers limited support for client-side integration due to the variability in application environments. For more information, please visit our FAQ page.
For more information about how to move an application to UGA SSO, please see How to Move Your Application to UGA SSO.
Getting Started
To integrate your application with UGA SSO:
- Choose your protocol: CAS, SAML, or OIDC
- Prepare the required metadata or configuration
- Submit an SSO Integration Request
- Request Development Test IDs
- Test in the development or staging environment
- Move to production upon approval
- For detailed steps, see: How to Move Your Application to UGA SSO
UGA SSO Environments
UGA SSO is deployed across three environments for development, testing, and production:
| Environment |
URL |
Notes |
| Development |
https://sso.dev.uga.edu |
Uses development credentials. Test MyIDs may be required.
Refer to the Test MyID Checkout Form for access. |
| Staging |
https://sso.stage.uga.edu |
Pre-production testing environment used for final validation before release. |
| Production |
https://sso.uga.edu |
Live authentication environment for end users. |
Supported Protocols
CAS Protocol
CAS refers to both the authentication protocol and the server software used in UGA SSO. The CAS server is a Java-based servlet that authenticates users and issues service tickets (ST) to CAS-enabled applications.
- A Single Sign-On session begins when a user logs in and receives a ticket.
- The application validates the ticket with the CAS server via secure back-channel communication.
CAS Attribute Release
UGA CAS supports the release of a limited set of identity attributes. These attributes are available via SAML 1.1 and 2.0:
- CN (Common Name – typically the MyID)
- DN (Distinguished Name from MSMYID)
- firstName
- lastName
Application owners must coordinate with vendors to determine required attributes and ensure proper mapping and provisioning.
SAML Protocol
SAML is an XML-based standard for exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP).
Key Components
- Web Browser: Initiates the authentication flow
- Identity Provider (IdP): UGA SSO server
- Service Provider (SP): The application requesting authentication
Metadata Requirements
To establish trust and interoperability, SPs must provide accurate metadata, including:
- Entity ID
- Assertion Consumer Service (ACS) URL
- Public certificate
UGA SSO supports SAML 2.0 with backward compatibility for SAML 1.1. New applications default to SAML 2.0.
OIDC Protocol
OIDC (OpenID Connect) is a modern authentication protocol built on OAuth 2.0, ideal for mobile apps and modern web applications.
Supported Endpoints
- login/authorize: Initiates
- /token: Exchanges authorization code for tokens
- : Retrieves user profileuserinfo/
- : Ends sessionlogout/
Scopes Available
- (required) openid
- profile, email, groups, etc.
Need Help?
For questions or support: Please submit an EITS Help Desk Request