Skip to content

What We Need From You

Scope: What your IT team provides so users can sign in with your institution's single sign-on. CampusCore supports SAML 2.0 and OpenID Connect (OIDC), and the details we need differ by protocol - so start by telling us which one your identity provider uses.


First, for either protocol

  • Protocol - SAML 2.0 or OIDC. Your identity team will know which your IdP (Microsoft Entra, ADFS, Okta, Google, and similar) uses.
  • Login button label - what the sign-in button should say, for example "Howard SSO".

If you use SAML 2.0

The quickest path is to send us your IdP metadata URL - we auto-discover the entity ID, endpoints, and certificate from it. If you can't share one, send the individual values instead.

  • IdP metadata URL - if available, this covers the next three items automatically.

If there's no metadata URL, provide these directly:

  • IdP Entity ID - your identity provider's identifier.
  • Sign-on URL (SSO URL) - where users are sent to authenticate.
  • Signing certificate - your IdP's X.509 certificate, in PEM format.

Optional:

  • Sign-out URL (SLO URL) - enables single logout.

What we give you: after we create the provider, we send you our SP Entity ID and ACS (sign-in) URL (plus an SP metadata URL) to register on your side.


If you use OIDC (OpenID Connect)

You register CampusCore as an application in your IdP, then send us the credentials it issues.

What we give you first: the redirect / callback URL to register CampusCore in your IdP.

Then provide:

  • Issuer / discovery URL - your IdP's OIDC discovery endpoint, for example https://login.university.edu (the base that serves /.well-known/openid-configuration).
  • Client ID - issued when you register CampusCore in your IdP.
  • Client secret - issued alongside the client ID.
  • Scopes - we default to openid email profile; let us know if yours differ.

Both protocols: attribute / claim names

So we map your users correctly, tell us the claim names your IdP sends for:

  • Email, subject / stable ID, first name, and last name.
  • Groups/roles claim - only if you want automatic role assignment (see below).

CampusCore can assign each user the right level of access automatically based on their group membership in your IdP. To enable that, also provide:

  • Groups claim name - the exact claim that lists a user's groups, for example groups, member_of, or roles. Leave this out to skip automatic role assignment.
  • Group values to map - the exact group values (short names for OIDC, full directory names like CN=Advisors,OU=Staff,DC=vsu,DC=edu for Active Directory) and which CampusCore role each should grant.
  • Case sensitivity - whether your group values are case-sensitive. Active Directory groups usually are not; OIDC group names usually are.

Next: How It Works.