SAML 2.0 FAQs

SAML 2.0 FAQs

SAML 2.0 (Security Assertion Markup Language) is an open standard for securely exchanging authentication and authorization data between an identity provider (IDP) and a service provider (SP).

How does SAML 2.0 work?

When a user accesses a SAML-enabled service, they are redirected to the IDP for authentication. Once verified, the IDP sends a SAML token to the SP, which grants access to the service.

What attributes can we use to validate students?

You can use any attribute that matches the data uploaded to the Tassel Hub. This includes student ID or graduate email. If both were uploaded, the system defaults to student ID.

If a graduate was uploaded with a personal email but you attempt to validate using a school email, it will not match.

Can school administrators use SSO?

No, school administrators must log in with their username and password. SSO is only available for graduates accessing the graduate website.

How do I troubleshoot a failed SSO login?

To report an SSO issue, provide the following details:
  1. Exact error message (if any)
  2. Whether the issue affects all users or specific individuals
  3. Expected SSO login behavior for affected users
  4. Username or email of affected user(s)
  5. Does this user have access to the Tassel Hub (hub.tassel.com)?
  6. Test user credentials (if available):
    1. Username:
    2. Password:
  7. Time of the failed attempt (with time zone)
  8. Screenshots of error messages
  9. SAML trace logs (if available)
  10. Correctly formatted attribute details:
    1. Student ID (can have any name on your end)
    2. Email address (can have any name on your end)
    3. nameid-format:unspecified is incorrect and should be avoided.

SAML Binding Methods


What is SAML HTTP-POST binding?

SAML HTTP-POST binding is the most common method for exchanging SAML messages. It uses browser form posts to transmit SAML messages between the identity provider and service provider.

What is SAML HTTP-Redirect binding?

SAML HTTP-Redirect binding is an alternative method that uses URL parameters instead of form posts to transmit SAML messages. This binding is sometimes preferred by certain identity providers. We support this through the SamlRedirectMethod setting in Tassel Hub school configurations.

How do I know if my school uses SAML Redirect binding?

If your school's SSO implementation uses HTTP-Redirect binding, your technical team should specify this during SSO setup. We'll need to set the SamlRedirectMethod column value to HTTP-REDIRECT in your school settings.

Do I need to make any changes to my SAML configuration for HTTP-Redirect binding?

Most configuration aspects remain the same regardless of binding method. However, if 
you're experiencing issues with SSO and suspect it might be related to the binding method, please contact our support team and specify whether you're using HTTP-POST (traditional) or HTTP-Redirect binding.

In Tassels hub settings when should I add a SSO redirect link and what should it be?

Most configuration aspects remain the same regardless of binding method. However, if 
you're experiencing issues with SSO and suspect it might be related to the binding method, please contact our support team and specify whether you're using HTTP-POST (traditional) or HTTP-Redirect binding.



    Can't find something? Try our chatbot