SSO & SAML Configuration
Enable single sign-on for your institution to streamline user access and improve security.
SSO Types Supported
SAML 2.0
Industry standard for enterprise SSO:
- Works with most identity providers
- Secure token exchange
- Role mapping support
OAuth 2.0
Modern authorization framework:
- Social login support
- API access tokens
- Refresh token handling
OpenID Connect (OIDC)
Authentication layer on OAuth:
- ID tokens
- User info endpoint
- Standard claims
SAML Configuration
Gather IdP Information
From your Identity Provider, obtain:
- IdP Entity ID
- SSO URL
- X.509 Certificate
- Attribute mapping
Configure in Bevinzey
- Go to Admin > SSO Configuration
- Select SAML
- Enter IdP details:
- Entity ID
- SSO URL
- Certificate (paste full cert)
- Set attribute mappings
- Save configuration
Bevinzey SP Details
Provide to your IdP:
- SP Entity ID
- ACS URL (callback)
- Metadata URL
Test Connection
- Click "Test SSO"
- Redirect to IdP
- Authenticate
- Verify return data
- Check role assignment
OAuth/OIDC Configuration
Create Application
In your OAuth provider:
- Register new application
- Set redirect URI
- Configure scopes
- Note Client ID and Secret
Configure in Bevinzey
- Select OAuth or OIDC
- Enter:
- Authorization URL
- Token URL
- Client ID
- Client Secret
- Userinfo URL (OIDC)
- Configure scope mapping
- Save and test
Role Mapping
Map IdP Roles
Map your IdP groups/roles to Bevinzey roles:
- IdP "faculty" → Educator
- IdP "students" → Student
- IdP "admins" → Institution Admin
Auto-Provisioning
New users are created automatically with:
- Correct role
- Institution assignment
- Department (if mapped)
Security Considerations
Certificate Management
- Renew certificates before expiration
- Test after rotation
- Monitor certificate health
Session Management
- Configure session timeout
- Single logout support
- Force re-authentication option