InCommon / eduGAIN Single Sign-On for Campus-Wide Licenses

Hello. My name is Cody from the MathWorks installation and licensing support team. And in this video, I will provide an overview of MathWorks InCommon and eduGAIN Federated Single Sign-On also known as SSO, for Campus-Wide Licenses. Let's start by understanding what Single Sign-On or SSO is for MathWorks.

SSO is an authentication process that allows faculty, staff, students, employees, and members at the university to log in with their university credentials to access all MathWorks products available with the Campus-Wide License. There will no longer be a separate MathWorks Account password, simplifying access by allowing users to remember only one set of credentials and reducing password fatigue.

SSO enhances IT security by eliminating the security risk that may occur when users reuse passwords for both their MathWorks Account and their university sign in credentials. SSO also allows for better user management for administrators as user access is managed centrally through the university. By keeping the attributes in your identity provider system current, administrators can ensure the Campus-Wide License is accessed exclusively by the active faculty, staff, and students at your university.

For new users, the initial setup is straightforward. New users may create an SSO profile and link to the MATLAB (individual) license through the MathWorks hosted university portal. The user will begin by selecting the 'Sign In to Get Started' button, and this will redirect the user to the mathworks.com and prompt them to sign in with their university email address. The university email domain will trigger the SSO workflow and redirect the user to the university sign in screen, where they will log in with their university credentials.

After signing in with their university credentials, the user will be prompted to complete a profile with a few required fields such as first and last name. After they have completed the SSO profile, the user will be signed in and automatically link to your Campus-Wide License and able to access all MathWorks products such as MATLAB Online or MATLAB on the desktop.

For existing users, the process will be even more simple and consistent between MATLAB and all MathWorks products. When a user is prompted to log in to MATLAB or any MathWorks products such as the MathWorks installer, MATLAB Online or the MathWorks Account page, they will first be prompted to sign in using their university email address. Once they enter their university email address, the university email domain will trigger the SSO experience, and the user will be prompted for their university credentials on the university login page. After the user is successfully logged in for the university, they will be logged into MATLAB and other MathWorks products that they are attempting to sign into.

Now that we've demonstrated the SSO experience for you and your users, let's dive into what is required for federated SSO configuration. Your university needs to be a member of the InCommon federation or your local federation and eduGAIN. MathWorks SSO also requires that the university provides a university email address for each user with an allowed university email domain that is unique to the university.

For the required attributes, MathWorks leverages attribute assertion using Shibboleth as part of the eduGAIN and InCommon federations. The required attributes include eduPersonPrincipalName or eduPersonTargetedId. These are used as the unique identifier for the user. eduPersonScopedAffiliation-- this is used to validate the user's status at the university and determine if they should be granted access to the Campus-Wide License and their SSO profile. mail, which is user's university email address and is mainly used for the SSO profile creation. However, it is also used for MathWorks Account pairing for current users moving to SSO.

For the eduPersonScopedAffiliation, MathWorks accepts five affiliation values, faculty, staff, student, employee, and member. When configured by the university to pass any of these values to MathWorks for a user, the user will be granted access to their SSO profile and Campus-Wide License.

Now that we've discussed the technical requirements, let's talk about the best practices. To begin, we will discuss attribute filtering. For its successful SSO implementation, MathWorks requires submission of the required attributes without restrictions. Restricting or filtering these attributes can affect users access to sign in and interaction with all MathWorks products. Other common pitfalls that may deny user access are unexpected updates to the entity ID or email domains. To prevent loss of access to MathWorks products, please inform MathWorks Support before making any updates to the university email domains or the entity ID.

In closing, MathWorks SSO provides a secure, streamlined login experience that benefits both the end users and the university. For more information or to initiate the SSO setup process, please reach out to MathWorks Support or visit our documentation. Thank you for watching.