Single Sign-On (SSO)

Overview

When working with non-public data on Redivis, it's often important to be able to authoritatively attest to their affiliation with a given institution or other entity. To this end, Redivis supports Single Sign-On (SSO) through most academic institutions, as well as the ability to establish identity through a Google account or validated email address.

Institution SSO via SAML

Redivis is a registered service provider within the US-based InCommon federation, which in turn is part of the eduGAIN federation, enabling secure, authoritative SSO across thousands of universities around the world, via the SAML 2.0 protocol. If you are a member of an academic institution (as well as certain other research enterprises), you can search for your institution by name and log in to Redivis through your institution's sign-in page.

Troubleshooting institution SSO

In most cases, logging in with your institution will "just work". However, due to inconsistencies in how certain standards are applied around the world, you may run into issues when logging in through your institution. These issues can often be resolved with a quick ticket with your IT support desk – we recommend that you direct them to this page and copy support@redivis.com so that we may provide further technical information if needed.

Some common issues are outlined below:

Your institution does not support the Redivis service provider

If, when choosing your institution to log in, you are immediately presented with an error page (before you can type in your password), this likely means that your institution needs to add Redivis to some sort of "service provider allowlist". As a registered service provider within InCommon / eduGAIN, most institutions will automatically accept login request from Redivis – but some require manual configuration. In this case, your IT desk will need to take a quick action to enable Redivis – it will likely be helpful to direct them to Redivis's SAML metadata, found here: https://redivis.com/auth/saml/metadata

Redivis was unable to determine identity

This error will occur after you've logged in with your institution, upon being redirected back to Redivis. In this case, the authentication request completed successfully, but your institution didn't provide enough information for Redivis to know who you are (which is important in order for you to apply for restricted data, so that the data distributor can be confident of who they're granting access to!).

Redivis requires all institution identity providers to provide some minimal information about the individual, such as name, email, and a persistent identifier. These are codified as the "research and scholarship attribute bundle". If your institution uses OpenAthens for SSO, you can view their documentation to learn more about releasing these attributes.

For identity provider administrators

Redivis requires the following attributes:

eduPersonPrincipalName (urn:oid:1.3.6.1.4.1.5923.1.1.1.6)
email (urn:oid:0.9.2342.19200300.100.1.3)
name (urn:oid:2.16.840.1.113730.3.1.241)

The following attributes are optional but encouraged if available:

affiliation (urn:oid:1.3.6.1.4.1.5923.1.1.1.1) or scopedAffiliation (urn:oid:1.3.6.1.4.1.5923.1.1.1.9)
orcid (urn:oid:1.3.6.1.4.1.5923.1.1.1.16)
pairwiseId (urn:oasis:names:tc:SAML:attribute:pairwise-id)
eduPersonTargetedId (urn:oid:1.3.6.1.4.1.5923.1.1.1.10)

Other error messages

While uncommon, it's certainly possible that other errors might occur when logging in through your institutional credentials. If you do, please contact support@redivis.com and we'd be happy to help you troubleshoot.

SSO via Google

Redivis also supports the ability to sign in via any Google account. This can be a personal gmail account, or via your organization if it supports Google single sign-on. When you sign in with Google, your name, email, and an opaque persistent identifier will be shared with Redivis.

If your institution supports Google sign-on, but is also listed as a SAML identity provider (see above), the SAML SSO will be preferred. If you try logging in via Google, you will be redirected to your institution's login page.

Email sign-on

If your institution isn't listed and doesn't support SSO through Google (e.g., many @.gov emails), you can also sign in via any email address.

Redivis will send a unique code to this email every time you log in, making it such that the account owner continuously "proves" their ownership of the given email address.

For security purposes, you must enter the code sent to your email in the same window from which it was initially requested. If you want to log in from a new window / device, you can request a new code.

Last updated 3 months ago

Was this helpful?