- System administrators with the All Permissions option selected
- Users with the Can change integration profile permission
- Username Mapping (required): The name of the attribute in the response to be used as the campusM app username.
- Mail Mapping (required): The name of the attribute in the response that contains the user’s email.
- First Name Mapping (required): The name of the attribute in the response that contains the user’s first name.
- Last Name Mapping (required): The name of the attribute in the response that contains the user’s last name.
- Additional Mappings (optional): This field takes multiple comma delimited name and value pairs that are added in a designated part of the token, where additional information can be kept and then used in the different parts of the application. A single value can be supplied if the same attribute name in the response should be used (so instead of department=department, you can type just department). For example: job=title,tel=mobile,office,department.
- Additional Encrypted Mappings (optional): Same as Additional Mapings, but is encrypted on the token.
- Token Lifetime: The expiration date for the generated token used by campusM. If left empty, the default is 30 days for both Web and Native mobile. Example values are: 30d, 120m, 72h.
It is recommended to have the token lifetime (expiration) configured at the 30d level to avoid the need for the user to frequently need to re-login/authenticate to campusM.The token lifetime definition represents the campusM authentication token lifetime (the one used within campusM to ensure the user is authorized to use the system functions), NOT the IdP session/token lifetime (when relevant) which is typically much shorter than 30d, and may be passed by the browser to seamlessly login to other systems covered by the same IdP.
Configurations Per Authentication Type
Customer Configuration for SAML2
campusM Configuration for SAML2
For new configurations, only Default is available as a campusM certificate metadata file version.
For existing profiles, you can select:
The certificate must be replaced prior to the expiration date of the chosen certificate. If you opt to use a previous certificate, campusM continues to accept the certificate even after the expiration date. If you edit an existing profile and select a new certificate, once you save the profile, the previous certificate becomes unavailable. Before changing your certificate, you must check with your IT department.
- CampusM Certificate (required) – The certificate used for communication. Select the one with the latest expiration date.
- Entity ID – an attribute on the root EntityDescriptor element in the IdP’s metadata.
- SSO (Single Sign On) URL (required) – at the end of the IDPSSODescriptor element (the first one, if there are multiple) is one or more SingleSignOnService elements. Take the one that has its Binding element set to: urn:oasis:names:tc:SAML:2.0:bindings:HTTPRedirect and fill the Location attribute here.
- Certificate – In the IDPSSODescriptor element of the metadata, there are one or more KeyDescriptor elements that may have an optional use attribute. Copy the attribute that is set to signing, and put it in the X509Certificate element.
- Additional Certificate – You can add an additional certificate.
- IDP Logout URL (optional) – a general logout URL that allows the IdP to terminate the user’s session. For Shibboleth, an example syntax is: https://
Customer Configuration for OAuth2
campusM Configuration for OAuth2
- OAuth Client ID (required) – the client ID that the customer’s system produces when registering the campusm app.
- OAuth Client secret (optional) – this is provided when registering the app. Optional, but recommended.
- Authorization endpoint (required) – the endpoint to where the user is redirected for login.
- Access token endpoint (required) – the endpoint from where the OAuth tokens are fetched.
- Token Endpoint Auth – the authentication method used for the token endpoint. Options are Post or Basic.
- User info endpoint (optional) – the endpoint from which user information is retrieved by using the access token. If this is not provided, it is expected that the user information is contained in an id_token (JWT) returned from the access token endpoint response. If that is not found, the access token is expected to be a jwt token containing the information.
- OAuth Scope (optional) – used to define the amount of information sent back in the responses.
- Logout URL (optional) – a general logout URL that allows the IdP to terminate the user’s session. For Shibboleth, an example syntax is: https://
/idp/profile/Logout. If this is not provided, the user’s session with the IdP are not terminated when logging out of campusM.
- Token verification certificate (optional) – The certificate with which the token (either id_token or access_token where a user info endpoint is not provided) can be verified. Only one certificate is supported currently, so if there is a rotating set of keys that is being used to sign the tokens, leave this empty.
- Extract OAuth tokens (optional) – not selected by default. Selecting this option saves encrypted during the login process the tokens returned from the access token endpoint on the resulting campusM token for later use.
The following is required for this to function properly:
- Access token and expiry (expires_in)
- Refresh token (refresh_token)
LDAP (Login Web Service)
Customer Configuration for LDAP
campusM Configuration for LDAP
- Login screen prompt (required) – the message to be displayed on the login screen
- Authentication server (required) – the connect layer against which to authenticate
- Login service path (required) – the path to the login service
Testing Integration Profiles
- From the Main Menu, select App Settings > App Settings > Integration Profiles. A list of your integration profiles appears.
- Select an integration profile. The following page, for example, appears displaying the integration profile information:
Change Integration Profile
- To test the profile, select Test Profile. The following page appears, displaying the authentication request and the request redirect URL.
Any changes you make must be saved before you can test the profile.Build Authentication Request
- Select Continue. A new IdP login page appears.
- Enter your username and password and log in.
A test report appears indicating if the test passed successfully or if there were any failures. Click on an element to see more information.Profile Test Report