Single Sign-On (SSO)

 

Currently, 12Twenty offers two options for single sign-on integration with your system -- SAML and CAS. The 12twenty Implementation Team will help coordinate the SSO integration between systems. For other configuration options or 12twenty Proprietary SSO, please reach out to your 12twenty Implementation Manager. 

Topics

  1. Login Methods
  2. Shibboleth / SAML 2.0
  3. CAS
  4. OIDC with Google and Azure Active Directory
  5. Downloads

 


 

Login Methods

12twenty supports SSO-only and Concurrent (SSO + Email/Password) login for students and career center users.

 

SSO_Login_Types.png

SSO-only login will bypass the 12twenty login landing page and will immediately redirect users from
{your-site}.12twenty.com directly to your SSO login page. 

 

Concurrent login will direct users to
{your-site}.12twenty.com where they will then select SSO or Email & Password authentication.

 

SAML

In the past, 12Twenty has done SAML integrations with the following products:

Integration with other SAML based products may require extra service fees. To move forward with the SSO SAML integration with 12Twenty, we will need a few things from you:

Item Details
 SAML EntityID If you are a part of InCommon, we will use this to look up your metadata and connect
 SAML IdP Metadata

If you are a not part of InCommon, we will use this to connect instead of the above. Metadata can only be accepted as a URL. Metadata files are not supported.

 SAML Attributes The SAML attribute(s) to be released to us (e.g. email address or student id) to match up students between systems. We prefer eduPersonPrincipalName (EPPN), urn:oid:1.3.6.1.4.1.5923.1.1.1.6, which is often an email address or student id.
 Testing Account We will use this on our side to continuously test and monitor the SSO integration between our systems
 Sample Response This will help us associate the authenticated user to the correct record in our systems. Please include the student identifier in the response.

 

Accepted SAML Attributes

EPPN MAIL

Name
urn:oid:1.3.6.1.4.1.5923.1.1.1.6

NameFormat
urn:oasis:names:tc:SAML:2.0:attrname-format:uri

Decoder
Scoped

Attribute Value (Example)
bobby_jones@school.edu
94232982@school.edu

Name
urn:oid:0.9.2342.19200300.100.1.3

NameFormat
urn:oasis:names:tc:SAML:2.0:attrname-format:uri

Decoder
String

Attribute Value (Example)
bobby_jones@school.edu
94232982@school.edu

UID 12twenty-Circle-Icon-09.png

Name
urn:oid:0.9.2342.19200300.100.1.1

NameFormat
urn:oasis:names:tc:SAML:2.0:attrname-format:uri

Decoder
String

Attribute Value (Example)
bobby_jones

12twenty does not support other SAML Attribute values at this time. Please speak to your SSO Implementation Manager if you have any questions. You can reach the Onboarding & Implementation team at Onboarding@12twenty.com.

Pro-Tip: If your users have "vanity" email addresses, the SAML Attribute "MAIL" may not be appropriate.

InCommon Members

If you are a member of InCommon, you can look us up by our EntityID's for our two environments:

Environment EntityID
Production https://sso.12twenty.com/sp
Stage https://sso.stage-12twenty.com/sp

 

Non-InCommon Members

If you are not a member of InCommon, no problem! You can find our metadata in the following locations:

Environment Metadata Location
Production https://sso.12twenty.com/Shibboleth.sso/Metadata
Stage https://sso.stage-12twenty.com/Shibboleth.sso/Metadata

 

CAS

To move forward with the SSO CAS integration with 12Twenty, we will need a few things from you:

Item Description
Login Url The location where the user will be redirected to when attempting to access 12Twenty
ServiceValidate Url The service that checks the validity of a service ticket and returns an XML-fragment response
Logout Url The location that will successfully log out the user from both systems
User Identifier Examples This is the unique id of the user that will allow the correlation of users between systems.
Examples: homer732, bart.simpson@school.edu
Testing Account We will use this on our side to continuously test and monitor SSO integration between systems

 

OIDC with Google and Azure Active Directory

12twenty's SSO integration includes the ability to use "Login with Google" and "Login with Microsoft." To use this service, please reach out to your Implementation Manager

Additional resources for this configuration can be found here

Downloads

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more