How It Works¶

Scope: What we do with your identity provider details to enable single sign-on, and how automatic role assignment behaves.

Connecting your identity provider¶

We configure the provider. Using the details from What We Need From You, we set up your identity provider inside CampusCore. This takes effect immediately - no redeployment, and no downtime.
We hand your IT two values to register. CampusCore generates the service-provider details your IdP needs - an SP Entity ID and an ACS (sign-in) URL. Your IT registers these on their side, along with the released attributes (email, first name, last name).
We test a real sign-in together before rollout.

Once both sides are registered, your "Sign in with [your SSO]" button is live on the login page.

Automatic role assignment¶

If you provide a groups claim and group mappings, CampusCore assigns access automatically:

Each of your IdP groups maps to one or more CampusCore roles. The same role can come from several groups, and one group can grant several roles.
You can set a default role for users who sign in but match none of the mappings - most institutions use a basic role here.
Roles are recalculated at each sign-in. When you change a mapping, affected users pick it up the next time they log out and back in.

Two safety behaviors worth knowing:

If your IdP momentarily sends no groups, CampusCore does not strip a user's roles - this avoids locking people out during a transient identity-provider issue.
A role an administrator grants by hand is preserved across sign-ins; automatic syncing only manages the roles it assigned.

After it is set up¶

Your users sign in with their normal institutional credentials, and the right access is applied every time. When your group structure changes, your CampusCore contact can adjust the mappings with you - no redeployment needed.

You have reached the end of the onboarding path. Questions on any step? Your CampusCore contact is the fastest way to an answer.