# Single Sign-On (SSO) When working with non-public data on Redivis, it's often important to be able to authoritatively attest to their affiliation with a given institution or other entity. To this end, Redivis supports Single Sign-On (SSO) through most academic institutions, as well as the ability to establish identity through a Google account or validated email address. ## Institution SSO via SAML Redivis is a registered service provider within the US-based [InCommon federation](https://incommon.org/), which in turn is part of the [eduGAIN federation](https://edugain.org/), enabling secure, authoritative SSO across thousands of universities around the world, via the SAML 2.0 protocol. If you are a member of an academic institution (as well as certain other research enterprises), you can search for your institution by name and log in to Redivis through your institution's sign-in page. ### Troubleshooting institution SSO In most cases, logging in with your institution will "just work". However, due to inconsistencies in how certain standards are applied around the world, you may run into issues when logging in through your institution. These issues can often be resolved with a quick ticket with your IT support desk – we recommend that you direct them to this page and copy so that we may provide further technical information if needed. Some common issues are outlined below: #### Your institution does not support the Redivis service provider If, when choosing your institution to log in, you are immediately presented with an error page (before you can type in your password), this likely means that your institution needs to add Redivis to some sort of "service provider allowlist". As a registered service provider within InCommon / eduGAIN, most institutions will automatically accept login request from Redivis – but some require manual configuration. In this case, your IT desk will need to take a quick action to enable Redivis – it will likely be helpful to direct them to Redivis's SAML metadata, found here: #### Redivis was unable to determine identity This error will occur after you've logged in with your institution, upon being redirected back to Redivis. In this case, the authentication request completed successfully, but your institution didn't provide enough information for Redivis to know who you are (which is important in order for you to apply for restricted data, so that the data distributor can be confident of who they're granting access to!). {% hint style="success" %} Some institutions allow you to configure privacy options associated with your login. If this is the case, navigate to the appropriate settings page within your institutional account, and make sure that your name, email, and institutional identifier / username are released. {% endhint %} Redivis requires all institution identity providers to provide some minimal information about the individual, such as name, email, and a persistent identifier. These are codified as the "[research and scholarship attribute bundle](https://refeds.org/category/research-and-scholarship)". If your institution uses OpenAthens for SSO, you can [view their documentation](https://docs.openathens.net/libraries/attribute-release#Attributerelease-ResearchandScholarship) to learn more about releasing these attributes. {% hint style="info" %} **For identity provider administrators** Redivis requires the following attributes: * eduPersonPrincipalName (`urn:oid:1.3.6.1.4.1.5923.1.1.1.6`) * email (`urn:oid:0.9.2342.19200300.100.1.3`) * name (`urn:oid:2.16.840.1.113730.3.1.241`) \ The following attributes are optional but encouraged if available: * affiliation (`urn:oid:1.3.6.1.4.1.5923.1.1.1.1`) ***or*** scopedAffiliation (`urn:oid:1.3.6.1.4.1.5923.1.1.1.9`) * orcid (`urn:oid:1.3.6.1.4.1.5923.1.1.1.16`) * pairwiseId (`urn:oasis:names:tc:SAML:attribute:pairwise-id`) * eduPersonTargetedId (`urn:oid:1.3.6.1.4.1.5923.1.1.1.10`) {% endhint %} #### Other error messages While uncommon, it's certainly possible that other errors might occur when logging in through your institutional credentials. If you do, please contact and we'd be happy to help you troubleshoot. ## SSO via Google Redivis also supports the ability to sign in via any Google account. This can be a personal gmail account, or via your organization if it supports Google single sign-on. When you sign in with Google, your name, email, and an opaque persistent identifier will be shared with Redivis. If your institution supports Google sign-on, but is also listed as a SAML identity provider (see above), the SAML SSO will be preferred. If you try logging in via Google, you will be redirected to your institution's login page. ## Email sign-on If your institution isn't listed *and* doesn't support SSO through Google (e.g., many @.gov emails), you can also sign in via any email address. Redivis will send a unique code to this email every time you log in, making it such that the account owner continuously "proves" their ownership of the given email address. {% hint style="info" %} For security purposes, you must enter the code sent to your email in the same window from which it was initially requested. If you want to log in from a new window / device, you can request a new code. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.redivis.com/reference/your-account/single-sign-on-sso.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.