Pitt Passport: Using Pitt Passport for Your Departmental Service or Application

Overview

Pitt Passport is the University’s trusted Single Sign-On (SSO) service that provides a secure, consistent login experience across University web applications and cloud platforms. When users authenticate via Pitt Passport, they see the same familiar Pitt login page and URL used for services like Outlook, PeopleSoft (Student Information System), and myPitt.

If you manage or support a departmental or third-party application that requires University authentication, it should be integrated with Pitt Passport.

Quick Reference Summary

✅ Step 1: Verify your application supports SAML 2.0 (ideally with Shibboleth).
✅ Step 2: Gather basic service and contact info (see lists below).
✅ Step 3: Submit the Pitt Passport Onboarding Request Form (New Automated Ticket Submission) — it creates your ticket automatically.
✅ Step 4: If asked, provide Security Review documents (Vendor / Service Provider forms).
✅ Step 5: Configure and test against the Development IdP before moving to Production.

🔗 Pitt Passport Onboarding Form: https://pi.tt/SSOOnboardingForm

Advantages of Using Pitt Passport

Unified Experience – Users see the same trusted login across University services, reducing confusion and phishing risk.
Stronger Security – Multi-Factor Authentication (Duo) protects University credentials.
Federated Access – Leverages the InCommon Federation for streamlined, secure integrations.

How Pitt Passport Works (High-Level)

Pitt Passport (the Identity Provider, IdP) exchanges standard SAML 2.0 attributes with your application (the Service Provider, SP) after successful authentication. Typical core attributes include eduPersonPrincipalName (ePPN) for username and eduPersonScopedAffiliation (EPSA) for affiliation (student, faculty, staff, etc.). Your SP uses these attributes to identify the user and authorize access.

Before You Begin

Determine Your Application’s SSO Capabilities

Confirm SAML 2.0 support. Pitt Passport supports the SAML 2.0 protocol for secure authentication.
Check for Shibboleth compatibility. Shibboleth is the SAML implementation used by Pitt Passport.
Verify InCommon membership. If your vendor is in the InCommon Federation, metadata exchange is streamlined.
If not in InCommon, confirm which user attributes (e.g., username, email) your application requires to uniquely identify users.

Drupal Integration

Download the SSO Plugin for Drupal from the Software Download Service (via myPitt). The archive includes a licensed plugin and installation instructions for Windows and Linux.

WordPress Integration

Download the SSO Plugin for WordPress from the Software Download Service. The package includes all required components and setup documentation.

Step-by-Step: Submit the Pitt Passport Onboarding Request Form (New Automated Ticket Submission)

This online form automatically generates a ticket and routes it to Pitt IT’s Identity & Access Management (IAM) team. Use this form instead of emailing the Help Desk directly.

🔗 Pitt Passport Onboarding Form: https://pi.tt/SSOOnboardingForm

Open the form and complete all required fields.
Provide detailed service information, including:
- Display Name
- Service Description (brief purpose)
- Information URL (vendor/product info page)
- Account Type Entitlements (student, faculty, staff, alumni, applicant, sponsored)
- Primary & Secondary Contacts (name, department/company, email, phone, role type: admin, technical, vendor, other)
Submit the form. You’ll receive a confirmation email with your case number.

Security Review Documents (If Requested)

During security and compliance review, Pitt IT may request the following documents. If requested, attach them to your existing onboarding ticket (do not open a new ticket):

Requested Attributes (Released by Default)

Default Attribute Release (no additional approval required)

The following attributes are available for release by default to Service Providers integrating with Pitt Passport:

surName (last name)
givenName (first name)
displayName (preferred display name)
email
commonName (cn)
eduPersonPrincipalName (ePPN; username@pitt.edu)
eduPersonScopedAffiliation (EPSA; affiliation with scope)
eduPersonTargetedID (persistent, pairwise ID)
PittAccountType
PittL
PittPSStudentRC
PittSponsorRC
eduPersonEntitlement
eduPersonAffiliation
eduPersonNickname
PittDepartmentID
PittDeptDescription
PittEmployeeRC

Policy Notes:

eduPersonAffiliation values are released only from the controlled vocabulary (faculty, student, staff, alum, member, affiliate, employee, library-walk-in).
Additional or sensitive attributes may require separate approval by Pitt IT or the Information Security Office.
Request only the minimum attributes necessary for your SP to function (principle of least privilege).

Required Metadata Files

Identity Provider (IdP) Metadata & Certificates

Use the following when registering your Service Provider and exchanging metadata:

Production Environment

IdP Entity ID: https://passport.pitt.edu/idp/shibboleth
Production IdP Certificate

Development Environment

IdP Entity ID: https://passport-dev.pitt.edu/idp/shibboleth
Development IdP Certificate

After You Submit

Your onboarding ticket routes directly to the Identity & Access Management (IAM) team.
A Pitt Digital representative will confirm metadata needs, attribute release, and test plans.
Configuration and verification occur first in the Development IdP; production cutover follows successful testing and approval.

Frequently Asked Questions (FAQ)

Who should complete the Onboarding Form?

The department’s IT administrator, application owner, or vendor responsible for SSO integration should complete the form.

Can I test my integration before production?

Yes. All integrations must pass testing in the Development Environment before promotion to Production.

What if my vendor doesn’t support SAML 2.0?

The application cannot use Pitt Passport without SAML 2.0 support. Contact the vendor to determine secure alternatives.

Related Information

0 reviews

Print Article

Updating...