Connecting to OSF via Single Sign-On (SSO)

cc-zero.png   This article is licensed under CC0 for maximum reuse. 

This article provides general information about the Center for Open Science’s Shibboleth-based Single Sign-On (SSO) integration for organizations who have become Institutional Members.  Learn more about OSF Institutions membership at Https://Cos.Io/Our-Products/Osf-Institutions/.

What is Single Sign-On?

In general, Single Sign-On, or SSO, allows users authenticated with one trusted system (e.g., university network) to also authenticate using those same “home” credentials with another trusted network (e.g., OSF service). In the case of the second authentication, users are not asked to log in again, but instead the authenticated credentials are shared between systems.

Who can use Single Sign-On with OSF?

Any organization that has implemented a SAML 2.0 Identity Provider (IdP) and is an OSF Institutional member can offer SSO to OSF accounts.

A few notes:

  • Current OSF users who have already set up accounts with a different login, will be able to retain those credentials and choose to login with personal or institutional credentials.

  • Users’ authentication to the OSF service using SSO cannot also use the “Forgot Password” link on the OSF website to remind them of their credentials, as their user credentials are specific to and managed by their organization.

Technical Implementation

InCommon Research & Scholarship Institutions

COS is a Research & Scholarship Entity Category (R&S) Service Provider (SP) registered by the InCommon Federation.

  • Entity ID: https://accounts.osf.io/shibboleth
  • Requested Attributes: eduPersonPrincipalName  (SAML2), mail  (SAML2), and displayName  (SAML2)

Full technical details can be found Here.

Please note that only COS's production SP is registered by InCommon. If you want to connect to COS's test/staging SP, the SP metadata as mention in Other Institutions (below) is Here.

Other Institutions

COS offers a Service Provider (SP) based on SAML 2.0 (the protocol) and Shibboleth 2.0 (the implementation). To implement and test SSO for your institution:

  • Ensure that your IT administrators have loaded COS's SP metadata into your IdP
  • Ensure that your IT administrators are releasing the three required pieces of information listed below, and inform COS of the attributes you use for each of them:
    • Unique identifier for the user (e.g., eppn )
    • User's institutional email (e.g., mail )
    • User's full name (e.g., displayName  or a pair of givenName  and sn )

For All Institutions

Inform COS of the user you would like to test with; your COS contact will ensure your account is ready to go and will send you a link to test the SSO configuration setup for your institution.

Alternative SSO Options

COS strongly recommends using this Shibboleth-based SSO when connecting to the OSF. However, if this is not available at your institution, please inform COS of alternative SSO options you have. We may support them in the future.

One alternative currently supported is CAS-based SSO. Please refer to Connecting To The Open Science Framework (OSF) Via CAS-Based Single Sign-On (SSO) for technical details.

cc-zero.png   This article is licensed under CC0 for maximum reuse. 

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.