Single Sign-On (SSO) for Campus-Wide Licenses
Overview
Single sign-on (SSO) allows Campus-Wide License users to access MathWorks products and services with their university credentials. Universities can implement SSO directly (no federation membership required) or through affiliations with their InCommon and eduGAIN federations membership.
Universities that implement SSO benefit from:
- Simplified Sign-On Experience – Users do not need to remember multiple passwords to access MathWorks products and services.
- Improved Security – A single set of login credentials improves enterprise security by reducing the risk of phishing and password theft.
- Streamlined Compliance – Required attribute assertion allows the Identity Provider (University/Organization) to automate user provisioning to save time and reduce errors.
To enable SSO, please contact Support.
SSO User Workflow
When SSO is enabled for a Campus-Wide License, users must sign in with an email address that matches the university’s domain allowed on the Campus-Wide License. Using a matching email address will trigger the SSO process when accessing any MathWorks product or service. After entering an email address with a matching domain, users will be prompted to log in with their university credentials.
If an eligible user does not have an email address with a matching domain, the License Administrator must manually add or remove them in the MathWorks License Center. The user will not have an SSO experience when they log into MathWorks products or services. Instead, they will log in with their MathWorks account credentials.
Technical Requirements
Both InCommon/eduGAIN SSO and Direct SSO use SAML 2.0 to support the exchange of metadata between the Identity Provider (university) and the Service Provider (MathWorks). The following sections describe the specific requirements for each type of SSO.
Direct SSO Requirements
- Identity Provider with SAML 2.0 Support
- IdP Metadata File (preferred)
If you are unable to provide the file, then as an alternative, provide the following information:
- IdP Entity ID
- IdP public certificate
- IdP Binding (HTTP-POST or HTTP-Redirect)
- Login URL
The release or mapping of the following attributes are also required:
- Unique identifier – MathWorks requires each user to have a unique identifier
- Affiliation – MathWorks uses affiliation status to determine if a user should be granted access
- Email address – MathWorks uses the email address for profile creation and to link the user to the correct Campus-Wide License
Info
MathWorks requires these attributes to be submitted without restriction as a condition of implementing SSO. Any restrictions, or filter policies, placed upon these attributes will negatively impact a user's ability to interact with other MathWorks services that require sign in.
The required attributes may be provided in one of the following ways:
| Required Attributes | |
|---|---|
Identifier: |
NameId, eduPersonTargetedID (ePTID), or eduPersonPrincipalName (ePPN) |
| Affiliation: | eduPersonScopedAffiliation* or Affiliation* |
| Email: | Mail or email |
*Accepted Affiliation Values: Faculty, Staff, Student, Employee, Member
InCommon/eduGAIN SSO Requirements
InCommon/eduGAIN SSO also requires that universities to be Identity Provider participants of InCommon or eduGAIN-affiliated federations.
The release of the following attributes is required:
| Required eduPerson Schema Attributes | |
|---|---|
| Identifier: | eduPersonPrincipalName (ePPN) or eduPersonTargetedId (ePTID) |
| Affiliation: | eduPersonScopedAffiliation* |
| Email: |
*Accepted Affiliation Values: Faculty, Staff, Student, Employee, Member
