VoiceThread Docs / System Integration / External Authentication / Shibboleth / ADFS

Overview

VoiceThread supports integration with SAML2 service providers to allow single-sign-on access. We are inCommon members but can also support non-inCommon integrations. This page is VoiceThread’s inCommon Participant Operational Practices (POP) and covers the service provider registered as: https://voicethread.com/auth/saml2/sp/

Integration is included in the K-12 District and Higher Education Site licenses, and it can be purchased as an upgrade for other license types. Contact us with any questions or to discuss upgrading.


How to use

Users will navigate to your custom domain (provided by VoiceThread) and sign into your IdP using their institutional username and password. No additional registration or username is required.


Technical details and setup

The SAML2 integration workflow is:

  1. End user enters credentials.
  2. VoiceThread’s Service Provider (SP) determines if the user is authorized to access VoiceThread based on the information passed from your IdP.
  3. The appropriate SAML attributes are released to VoiceThread.
  4. The user is granted access to his or her VoiceThread account.

The VoiceThread Integration Team will work with you to obtain the information we need and build the connection. Your system must be able to send SAML2 attributes. The only hard requirement is a unique identifier, but we do recommend including all of the following attributes for the best user experience:

  • Unique identifier (such as eppn or samlnameid)
  • Email address
  • First name
  • Last name
  • Role (student, teacher, faculty, staff, etc.)

If your institution is not a member of inCommon, we will also require information about your IdP, a valid security certificate to establish a secure link between the SP and the IdP, and attribute mapping information if you use a non-standard system.

Usage of Attributes

We do not use attributes beyond basic access control and grouping decisions. We do not share attribute data with any partner or with other organizations at all.

Personally Identifiable Information

We store personally identifiable information (first name, last name, and email address) as necessary for normal operation of VoiceThread and for meeting any customized needs of your institution. We may also store additional attributes for reporting purposes, but only at the institution’s written request. This information is stored in a database with strong access control and encryption. Only a limited subset of VoiceThread staff have direct data access. All data is sanitized before insertion into the database, so even Little Bobby Tables can use VoiceThread.

Responsible Information Disclosure

If personally identifiable information is compromised, we will notify the primary VoiceThread organizational contact via email as soon as we have confirmed it.