Students, Users and Operators generally access targetconnect using their institution username and password. Single sign on is particularly important for students to remove any perceived barrier to access the services provided. targetconnect supports the following single sign-on technologies:

• SAML via Entra
• SAML via OpenAthens
  
• SAML via ADFS
  
• SAML via Shibboleth

SSO Integration

Please note that SSO must be set up on each partition individually, unless the operator making the changes has access to all partitions

The relevant settings can be found as an operator at Maintenance> System settings > Authentication settings

SSO Integration is a technical task, and will require a member of your IT team. They will either need access to targetconnect, or will need to work with an operator who has access.

Many institutions create an Operator account specifically for IT access, to help with integration setup and ongoing technical maintenace

The subsection 'Information to configure your SAML Enterprise Application' includes the following (all required by your IT department):

1. A public certificate
   
2. A SAML Service Provider Entity ID (if you have multiple instances of targetconnect, and wish to have a separate IdP application, please contact targetconnect.integrations@groupgti.com)
   
3. An ACS URL (Attribute Consumer Service) unique to your targetconnect partition/service
   

If you have multiple partitions/services, you will need to add the ACS URL from each partition. This can be found by going to Authentication settings within the relevant partition. For example, if you had two partitions:

1. demo-partition1.targetconnect.net
   
2. demo-partition2.targetconnect.net
   

You would need to add both ACS URLs:

1. https://demo-partition1.targetconnect.net/unauth/saml/acs
   
2. https://demo-partition2.targetconnect.net/unauth/saml/acs
   

1. SAML login URL - e.g. in Microsoft Entra, this is labelled 'Login URL'
2. SAML Identity Provider Entity ID - e.g. in Microsoft Entra, this is labelled 'Microsoft Entra Identifier'
3. SAML attribute name - This is the name of the claim/attribute to identify users. This should be the full claim, for Microsoft Entra this includes the namespace, e.g. 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'
   
4. SAML client certificate - You can either paste the certificate into the box, or upload a .pem file
   

The final section focuses on settings related to specific user types (Custom Users, Students and Operators):

1. Switch SSO on or off - Student and Operator SSO are a requirement for a targetconnect instance to go live. Custom users groups can also have SSO switched on/off individually (from within the group settings)
   
2. Set the 'Student authentication field' - This is the field within targetconnect the attribute released from your IdP will match against. So if you are releasing an email address from your IdP, you would likely want to match it against the 'University Email Address' of the student within targetconnect
   
3. SAML attribute name - This can be left blank in most instances, however targetconnect Technical Support may use this field if there are issues with your SSO integration
   
4. Logout Endpoint - This option allows you to add an endpoint from your IdP that facilitates logging out of targetconnect and your IdP at the same time
   

For any questions, or if you have any issues, please contact targetconnect.integrations@groupgti.com