Single Sign-On

Starmind supports all major single sign-on protocols such as SAML 2.0, OAuth or a token-based procedure that can be accessed through the REST API. This site focuses on the implementation with SAML2.0 and Active Directory Federation Services.

SP-Initiated SSO

Starmind only provides a service provider initiated SSO. This means that a request is first send to the Starmind server, which redirects the user to the Identity provider. For more details please have a look at the SSO workflow introduction. Identity Provider (IP) initiated SSO is not supported.


Starmind relies on Shibboleth for server-side implementation of the service provider. “Shibboleth is a 'single-sign on', or logging-in system for computer networks and the Internet. It allows people to sign in, using just one 'identity', to various systems run by 'federations' of different organizations or institutions.

The Shibboleth Internet2 middleware initiative created an architecture and open-source implementation for identity management and federated identity-based authentication and authorization (or access control) infrastructure based on Security Assertion Markup Language (SAML). Federated identity allows the sharing of information about users from one security domain to the other organizations in a federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain user names and passwords. Identity providers (IdPs) supply user information, while service providers (SPs) consume this information and give access to secure content.”


Shibboleth is currently designed around the SAML 2.0 specification standardized by OASIS. Shibboleth also supports "profiles" of this specification for use with other identity protocols, including SAML 1.x and WS- Federation. The SAML 1.x profile has also been standardized by OASIS.