Previous post explained why SSO is the way to go for authentication at NYU. This document explains best practices for developers and application owners.
For custom applications developers can use any SAML2 or OAuth2 library, however IAM team does have some recommendations for ease of use.
NYU IT supports following Identity Providers (IdPs):
- Shibboleth IdP ver. 3.4.3 (as of Mar. 15, 2019)
- OpenID Connect ver. (as of )
NYU IT recommends following Service Providers (SPs) for application owners and developers to use:
Open ID Connect SP (OAuth2 protocol) (recommended)
- All supported languages certified libraries.
Shibboleth SP (SAML2 protocol)
- PHP: SimpleSAML
- JAVA/C++: OpenSAML 3
- PYTHON: PySAML2
Please note that SAML2 has no certification process for their libraries, what is used may not always be compatible with the standards and may not function properly.
For application owners the vendor is responsible for SSO SP implementation, as part of architecture work IAM team recommends to work closely with the vendor and ask question about their implementation to gain confidence that configuration will be ease and work:
- What SSO protocol does the application support? (NYU supports SAML2 and OAuth2)
- Can application owner configure SSO on their own through user interface?
- Is a technical person needed to do the SSO configuration?
- Is the SSO configured on server with web server (apache or IIS) OR on the application side?
- What libraries are used in SSO? Are the libraries used for SSO certified?
- Who is responsible for SSO library upgrades?
- How soon will the vendor update the SSO libraries when new version is available?