Oregon State University

ONID - OSU Network ID

ONID Single-Sign-On (SSO) Information

WARNING: ONID SSO is being phased out in favor of CAS. Use CAS for all new SSO projects

What is ONID Single-Sign-On (SSO)?

ONID Single-Sign-On (SSO) allows a user to authenticate to a web page once using their ONID credentials. After the user is authenticated, they can go to any other participating ONID SSO web sites and gain access without entering their ONID credentials again.


How does ONID SSO work?

ONID SSO relies on a cookie stored in the user's web browser and an XMLRPC API call to verify the cookie and session. Here are the steps involved:

  1. A user comes to your web site.
  2. Your web application checks for the ONID SSO cookie.
  3. If the cookie is not present, you redirect the client browser to the ONID SSO Login web page (https://secure.onid.oregonstate.edu/login?service=yourservicename).
  4. The user enters their ONID username and password to login.
  5. If they are successfully authenticated, the ONID SSO cookie is created for the oregonstate.edu domain.
  6. The client browser is redirected back to your web site.
  7. Your web application reads the ONID SSO cookie and validates its information using an XMLRPC call against the ONID SSO server, granting access to the user.

Can I use ONID SSO for my web service?

To use ONID SSO, your web application will need to be able to make XMLRPC calls. Also, your web site must be hosted somewhere in the .oregonstate.edu domain. ONID SSO access is only granted for official OSU web sites. No personal web sites are allowed.


What information is needed to setup ONID SSO?

We will need the following information to create an ONID SSO service for you:

  • Official name of your web site or service.
  • The URL that the client browser will be redirected to after authenticating.
  • The title you would like displayed on the ONID SSO Login web page.
  • The IP address(es) of the server(s) that will be making XMLRPC calls.
  • (Optional) ONID usernames that will be granted access to SSO Manager - see below.

You can also customize the ONID SSO Login web page by providing your custom HTML code fragments for the areas directly above and below the login form.

Send an email to support@onid.orst.edu with this information and your request to setup an new ONID SSO service. You will receive a response with the additional information you'll need to setup ONID SSO in your web application.


How can I manage my SSO service?

A simple SSO service management application (SSO Manager) is available at:

With this tool, designated managers may perform the following operations:

  • View and edit the service's destination URL, session length, and title.
  • Optionally create and edit special non-ONID user accounts to provide the ability for outside vendors to access your SSO enabled site.

Before using SSO Manager, please provide a list of ONID users you would like to have management control over your service. Also indicate if you want the ability to create non-ONID user accounts associated with your service. Email this information to support@onid.orst.edu.


What should my application do to validate an SSO login?

Your application should perform the following steps to validate that the user has been authenticated with SSO:

  1. Get the SSO Session ID stored in the sso cookie in the oregonstate.edu domain.
  2. Call the XMLRPC function sso.session_check($ssoauth, $sid).
  3. The array returned will contain a flag indicating whether the session is valid and the expire time of the session.

Central Web Services provides sample PHP code that provides an entire SSO framework to use. Additional information is available on their Single Sign On (SSO) Library page.


What does the XMLRPC API look like?

sso.session_check(string $ssoauth, string $sid, int $extend)

  • string $ssoauth - authentication string (assigned by ONID support)
  • string $sid - session id to validate
  • int $extend - extend session expire time (optional, defaults to 1)

Returns:

Array
    (
        [valid] => 1
        [expire_time] => 1118682379
    )
  • int valid - indicates a valid session
  • int expire_time - unix timestamp of session expire time

sso.session_destroy(string $ssoauth, string $sid)

  • string $ssoauth - authentication string (assigned by ONID support)
  • string $sid - session id to destroy

Returns:

Array
    (
        [success] => 1
    )
  • int success - indicates the session was successfully destroyed

Note: Calling this function will log the user out of all SSO sites.

sso.session_userinfo(string $ssoauth, string $sid)

  • string $ssoauth - authentication string (assigned by ONID support)
  • string $sid - sid to get info on

Returns:

Array
    (
        [userinfo] => Array
            (
                [lastname] => College
                [expire_time] => 1118688011
                [osuuid] => 12345678901
                [sid_length] => 3600
                [ip] => 10.0.0.1
                [sid] => WiT7ppAEUKS3rJ2lNz3Ue64sGPxnnLL0
                [username] => collegej
                [firstname] => Joe
                [fullname] => College, Joe Student
                [email] => joe.college@oregonstate.edu
                [create_time] => 1118684410
             )

        [isonid] => 1
    )
  • array userinfo - array containing basic user information
  • int isonid - indicates the user is an ONID user

Note: You must call this function with a valid $sid. If you want information on a user without a valid $sid, see the sso.getuserinfo_byusername() function.

sso.getuserinfo_byusername(string $ssoauth, string $username)

  • string $ssoauth - authentication string (assigned by ONID support)
  • string $username - username to get info on

Returns:

Array
    (
        [userinfo] => Array
            (
                [lastname] => College
                [username] => collegej
                [firstname] => Joe
                [fullname] => College, Joe Student
                [osuuid] => 12345678901
            )

        [isonid] => 1
    )
  • array userinfo - array containing basic user information
  • int isonid - indicates the user is an ONID user

sso.getgroups_byusername(string $ssoauth, string $username)

  • string $ssoauth - authentication string (assigned by ONID support)
  • string $username - username to get group membership for

Returns:

Array
    (
        [groups] => Array
            (
                [0] => students
                [1] => test
                [2] => other
            )

        [username] => collegej
    )
  • array groups - array containing a list of groups the user is a member of
  • string username - the username queried

Notes

  • You may want to validate that the IP address in the userinfo array is the same IP address that the client is connecting to your web site with, although the IP address may legitimately be different for users behind some transparent proxies (AOL, for example).
  • If your application needs more information about the user than is present in the sessions table, you may be able to look up the additional information in the ONID LDAP server.


Enterprise Computing Services, Oregon State University, Corvallis, OR 97331.
Contact Support - (1 541 737 8787)
Copyright Oregon State University | Disclaimer.