How to Move your Application to UGA SSO

Summary

This article gives instructions and outlines the process for moving an application to UGA SSO, including the responsibilities of the application owner.

Body

Departments or units who want to add applications to any UGA SSO environment and enable SSO authentication should submit an integration request using the SSO Integration Request Form.

In the SSO Integration Request Form, the application owner will be asked to supply the following information:

  • The URL for each environment: Dev, Stage, and Prod
  • The attributes that can be returned to your application
  • Indicate if the application will use ArchPass two-step login, powered by DUO.
  • Indicate the protocol that will be used for the SSO integration. If the protocol desired is SAML, EITS will need the metadata file or metadata link for the application
  • The timeframe for moving the configuration into the production environment

The request will initiate a workflow that will be handled by EITS Information Security and Identity Management teams. The application owner/requestor will be contacted within the ticket with any questions and updates regarding the SSO integration request.  

All new applications added to the SSO environment start in the SSO development environment.  

Please plan for at least eight weeks, if no issues are identified, from initiation of the request to the scheduling of the application production go-live date. Newly registered applications will be subject to review and vulnerability scanning by the EITS Information Security team.

Testing the Configuration 

All testing to determine if the SSO integration is working properly is the responsibility of the application owner.

There are multiple steps within the SSO Integration ticket workflow where the application owner will need to attest that they have tested the integration and that it is working properly.

If test MyIDs are needed, they can be checked out to test authentication while onboarding your application. If the application has special authorization criteria based on a local user base or attributes being passed, test accounts can be set up to mimic the specifications. Test accounts can be requested via the Test MyID checkout form.

Application owner responsibilities

  • An application owner must be listed on the SSO configuration. This application owner will be the primary point of contact for questions regarding the SSO setup for the application.
  • Application owners must have a clear project plan, with testing and go-live dates. A project template is available for your use. Please submit the project plan using this template.
  • Application owners or their designees are responsible for creating a test plan and testing their applications. This includes testing in the following scenarios:
    • Testing while the application is being added to development, staging, and production SSO environments
    • Testing after regular SSO maintenance windows
    • Testing after application changes that impact the SSO Configuration, ie certificate updates, attribute release
  • Application owners or their designees are responsible for signing off when an application works as expected in development, staging and production SSO environments.
  • Application owners must inform EITS when the application is decommissioned.

EITS responsibilities 

  • EITS will review each application project plan. 
  • Each project plan will be sent to the Office of Information Security for security review and investigation. The security review will determine the type of data that is being protected (restricted, sensitive, critical, other). The review will also determine whether the application requires ArchPass, UGA's two-step authentication solution, powered by Duo.
  • EITS will review each application's attributes, project plan dates and protocols
  • EITS will create development accounts for testing the application
  • The IDM team will work with the selected application owner to get the application in the development environment, staging environment and production environment during the appropriate maintenance windows.
  • EITS will ensure that the UGA SSO system is properly patched and upgraded to stay on the supported version. 

UGA Application Listserv

Application owners are automatically added to the UGASSOApps Listserv. This list is used for communications about SSO service maintenance, disruptions, or announcements.  Application owners can also use this list for tips, techniques, and general questions about applications connecting to UGA SSO. This list is a discussion list and is not moderated before posts. By accepting your understanding of the authentication methods at UGA, you are also accepting, as an application owner, that you will participate in the listserv communications.

UGA SSO Maintenance Windows

The EITS Identity Management (IDM) team provides regular SSO maintenance windows to add or modify SSO configurations in the production UGA SSO environment. These maintenance windows are typically scheduled twice a month, on Friday evenings starting at 5 p.m. Emergency maintenance will be conducted as needed. While preparing for an upgrade to the UGA SSO system, maintenance windows will be suspended temporarily to allow all application owners to test their applications with the updated CAS version, prior to the update being added to the production environment.

For more information about UGA SSO and moving your application, please visit our Moving to UGA SSO page.

Details

Details

Article ID: 163063
Created
Mon 7/15/24 1:14 PM
Modified
Fri 8/16/24 10:34 AM