Single Sign-On (or SSO) is a method of logging into an application using credentials from another platform. All of these SSO methods require a member of your institution to contact Turnitin to request SSO configuration.
You cannot sign in to the web app using your organization's SSO credentials. Users must configure SSO individually as described in this guide.
Administrator accounts cannot be created via SSO. Users created via SSO will always be designated a 'User' role. They can then be assigned the 'Administrator' role by another administrator user.
Shibboleth
Turnitin provides Single Sign-On (SSO) support through a standardized integration with Shibboleth SSO. This guide explains what you need to know before contacting Turnitin to set up your integration.
In this guide:
- Getting set up
- Entity IDs
- Required attributes
- Federations
- User roles
- Contacting Turnitin
- SSO flow and user provisioning
- Additional settings
Shibboleth SSO for iThenticate 2.0 will not support any modifications to the default setup.
Getting set up
In order to use Turnitin’s Shibboleth SSO integration, you must raise a ticket with Turnitin support and our team will help you through the setup process. Before you contact us, please read the rest of this guide to learn more about what information is required for the setup.
Entity IDs
Turnitin requires a distinct Entity ID for each product you enable Single Sign-On (SSO) for. Do not reuse the same Entity ID across multiple Turnitin products.
Before proceeding with configuration, ensure you have created a separate Entity ID for each product that will use SSO. This will help avoid misconfiguration and support delays.
Required attributes
Before you request Shibboleth SSO, confirm that your Identity Provider (IdP) is sending the required attributes below.
iThenticate can operate without these attributes, but missing attributes may affect reporting and search capabilities, and can lead to additional support requests after implementation.
Required attributes (preferred option first; alternatives also supported):
Given name
-
givenName -
urn:mace:dir:attribute-def:givenName -
urn:oid:2.5.4.42 -
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Surname
-
sn -
urn:mace:dir:attribute-def:sn -
urn:oid:2.5.4.4 -
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
-
mail -
urn:mace:dir:attribute-def:mail -
urn:oid:0.9.2342.19200300.100.1.3
Federations
If you would like to configure Shibboleth SSO on your account, you must first become a member of a compatible federation.
Below is a list of federations or projects involving Shibboleth or SAML technology provided by the Shibboleth project that we are partnered with. Each federation typically serves a specific community:
- AAF Federation (Australia)
- AAI@EduHr (Croatia)
- DFN-AAI (Germany)
- EduGain (via InCommon)
- Feide Federation
- GakuNin (Japan)
- Haka Federation (Finland)
- IDEM (Italy)
- InCommon
- Porto Federation (Portugal)
- SURFConext Federation (Netherlands)
- SWAMID (Sweden)
- SWITCH (Switzerland/Europe)
- UK federation
To set up Shibboleth we will need your Shibboleth Entity ID. This is typically a URL or URN format string, like `https://my-production-shib.thing.edu` or `urn:mace:incommon:thing.edu`.
Contacting Turnitin
If you are a member of a compatible federation and have your Shibboleth Entity ID then you can contact Turnitin to request Shibboleth SSO be set up for your account.
To contact Turnitin, visit our help center to raise a ticket and our team will help you through the setup process.
SSO flow and user provisioning
Once Shibboleth SSO is configured for your iThenticate 2.0 account, iThenticate uses a Service Provider–Initiated login flow:
- iThenticate provides a login URL that you can share with your users.
- When a user visits the login URL, their browser is redirected to your Identity Provider (IdP) for authentication.
- After successful authentication, the user is redirected back to iThenticate with a SAML response.
- If the user already exists in iThenticate, they are logged in. If not, a new user is created via Just-In-Time (JIT) provisioning.
You can also control access using attributes included in the SAML assertion, for example, blocking login based on specific attribute values passed in the request.
Shibboleth SSO is supported only for customers who are members of a federation that iThenticate is also a member of.
Users roles
When signing in to Turnitin using Shibboleth SSO, users will automatically be designated the ‘User’ role.
Additional settings
Optional group members
You can use isMemberOf (urn:oid:1.3.6.1.4.1.5923.1.5.1.1) to control access to the iThenticate account associated with your Identity Provider (IdP). By default, anyone who can authenticate on the IdP can access the iThenticate account.
Using isMemberOf is recommended so that the institution can control access to the iThenticate account for specific groups rather than granting access to all authenticated users. Multiple groups can be configured, and users may belong to more than one group if required.
If you need to create groups used for access control, you can raise a ticket with Turnitin Support. To raise a ticket, visit our help center.
Turnitin supports all value pairs.
Optional URL to send users upon logout
If provided, will redirect iThenticate to this URL upon logout. Typically this would be a URL that logs out the user from your IdP.
Turnitin provides Single Sign-On (SSO) support through a custom authentication integration with Google SSO.
Getting set up
If you are an administrator looking to set up Google SSO for your institution, you must raise a ticket with Turnitin support and our team will help you through the setup process. To raise a ticket, visit our help center.
Frequently asked questions
Is it possible to offer both SSO login and username/password login? For example, can user A log in with SSO while user B logs in with username/password
Yes, configuring SSO with iTh 2.0 does not disable username/password login at the account level.
As an administrator, if I change a user's role from User to Principal User will the role persist when an SSO user next logs in?
Yes.