Single Sign On with SAML and Shibboleth
The Single Sign On (SSO) - procedure allows the use of PlagAware without the creation of individual user accounts at PlagAware. Instead, users are authenticated via the single login service of the home organization, eliminating the need to create and manage user accounts.
Single Sign On, SAML and Shibboleth
The most important at a glance
- check_circlePlagAware supports authentication using the SAML 2.0 method and extensions based on this, such as Shibboleth.
- check_circlePlagAware acts as a ServiceProvider (SP) with the EnitityId https://www.plagaware.com/saml and is registered with the German Research Network Authentication and Authorization Infrastructure (DFN AAI).
Single Sign On (SSO) is a mechanism by which the registration of users is not performed by PlagAware itself, but by the user's home organization (e.g. the university). This has the advantage that a single login of the user at the university is sufficient to use a variety of services. It also increases data security, since PlagAware does not need to store the username and password to legitimize a login.
In addition, SSO makes it easier to manage the users of a PlagAware license, as the user accounts are controlled centrally from the infrastructure of the home organization. There is no need to manually add and remove users from the license. Plagaware's SSO process is based on SAML (Security Assertion Markup Language), a standardized protocol that allows identity providers (IdP), e.g. universities, to transfer authorization data to the service provider (SP).
How does the registration work with your organization?
With the setup of PlagAware for your organization, we also set up a individual login page (e.g. https://my.plagaware.com/login/meine-uni). When you select "Log in with organization", you will be redirected to your home organization. If you are already registered there, you do not need to do anything else - you can use PlagAware directly. Otherwise, your home organization will show you a login page, where you can log in with your organization's credentials.
After the first successful login, this page will be saved for you as a default login page. So when you log in to PagAware in the future, your individual login page will be displayed directly. If you want to log in with a different account, simply click "Log in with email and password" to return to PlagAware login with username and password.
If you use PlagAware with Single Sign On, we do not know your credentials. Therefore, we cannot reset your password if you have forgotten it. In this case, please contact the account management in your organization.
Tip: Forgot your organization's login page?
If you have forgotten your organization's login page, that's no problem. Just click the Sign up with Organization link on the login page and enter your organization's mail address. We will determine your organization based on your mail address and redirect you to their login page. If your organization does not have Single Sign On set up yet, we will display a message to indicate this.
For Admins: Setting up Single Sign On
The entity ID of Plagaware is https://www.plagaware.com/saml. At this address you can also find our metadata file, which you can download regularly. Alternatively, you can get the metadata from the Authentication and Authorization Infrastructure of the DFN (DFN-AAI)
PlagAware uses the following attributes to perform authentication:
- check_circlePairwise Id (SAML V2.0 Pairwise Subject Identifier): Unique, permanent pseudonym of a user by which we can recognize the user. Example: MCE6NXEQ3FC3PUKY4M75EYCOWN4TGKBH@testscope.dfn.de.
- check_circleBusiness email address: Mail address of the user. We send the results of the plagiarism check to this address, for example. Example: mustermann@uni-musterstadt.de.
- check_circleType of affiliation plus domain name / Scope: Type of affiliation the user has with the organization. Example: staff@uni-musterstadt.de.
If you want to use Single Sign On, please just send a message to the PlagAware-Support and tell us the Entity ID of your Identity Provider (IdP). We will then enable your organization for SSO and also create the custom login page. If your license is not valid for all employees of your organization, you will also need to map the SAML attributes to the appropriate license or sublicense.
Assignment of SAML attributes to the PlagAware License
In the registration process, we perform a mapping of the submitted attributes of the user to the PlagAware license (or sublicense). We perform this mapping based on a combination of one or more of the following attributes:
- check_circleMail address of the user (e.g. *@uni-musterstadt.de),
- check_circleScoped Affiliation and (e.g. staff@uni-musterstadt.de)
- check_circleAuthorizations (eduPersonEntitlement, e.g. http://plagaware.com/license/PLAG-DEMO-EXCL1)
When creating the licenses and sublicenses, we will ask or advise you for which combination of attributes the respective license should apply. Usually we will create the license so that it applies to all employees of the organization (see example above). However, if you have purchased the license for only a part of the organization (e.g. an institute), or if you want a sublicense to be applicable to a specific area (e.g. Self-testing for students, this is represented by a different combination. A sample configuration may look like the following:
Priority | Affiliation | Mail address | Entitlement | License |
---|---|---|---|---|
looks_one | * | * | http://plagaware.com/license/PLAG-DEMO-EXCL1 | PLAG-DEMO-EXCL1 |
looks_two | Staff | *@bwl.uni-musterstadt.de | * | PLAG-DEMO-BWL |
looks_3 | Staff | * | * | PLAG-DEMO-STAFF |
looks_4 | Student | * | * | PLAG-DEMO-STUD |
The rules are processed in the order of their priority; more specific rules should therefore be listed before more general ones. The example can be interpreted as follows:
- looks_oneUsers with the special entitlement http://plagaware.com/license/PLAG-DEMO-EXCL1 are directly assigned to the license PLAG-DEMO-EXCL1, regardless of the mail address or affiliation.
- looks_twoEmployees (Affiliation: Staff) of the organization with a mail address ending in @bwl.uni-musterstadt.de are assigned to the license PLAG-DEMO-BWL.
- looks_3All remaining employees are assigned to the PLAG-DEMO-STAFF license.
- looks_4All students (Affiliation: Student) are assigned to the license PLAG-DEMO-STUD.
Tip: Order of the rules
The rules are processed according to their priority. If a rule applies, no further rules are considered.
If no rule applies, a hint message is displayed that your organization does not allow access to PlagAware for this user.