Turnitin Shibboleth Integration

Turnitin provides SAML based Single Sign-On (SSO) support through a custom authentication integration with Shibboleth facilitating 'Service Provider Initiated' login. Following setup, Turnitin will provide a SSO login URL, (WAYF-less URL) which directs the user to the Turnitin Service they want to access. The following guide is intended for technical administrators of your IdP.

Getting started

In order to use Turnitin’s Shibboleth integration, you must first contact Turnitin support and request the configuration of Shibboleth for your account.

To help Turnitin configure Shibboleth for your account we will need certain information about your institution. The required information depends on whether your institution is a member of a supported Shibboleth federation.

The supported Shibboleth federations are:

• AAF Federation (Australia)
• AAI@EduHr (Croatia)
• DFN-AAI (Germany)
• EduGain (via InCommon)
• Feide Federation
• GakuNin (Japan)
• Haka Federation (Finland)
• IDEM (Italy)
• InCommon
• Porto Federation (Portugal)
• SURFConext Federation (Netherlands)
• SWAMID (Sweden)
• SWITCH (Switzerland/Europe)
• UK federation

If you are a member of one of the supported Shibboleth federations, our support team will ask for the following information to enable your Shibboleth integration on Turnitin’s side:

• The entity id (entityID) of your Shibboleth Identity Provider. If you have more than one IdP, please provide information for all you plan to use with Turnitin.
  • This is typically a URL or URN format string, like `https://my-production-shib.thing.edu` or `urn:mace:incommon:thing.edu`.

• A decision on whether you would like to use instructor entitlements

  • Choosing to use instructor entitlements will allow you to grant and revoke instructor access to users through Shibboleth. More information about entitlements can be found below.

If you are not a member of a supported Shibboleth federation then please provide the following details:

• Your IDP metadata URL.
  • This is a URL that links to an XML document that contains required information for authenticating with an Identity Provider.
• Confirmation that your IDP is sending the following required attributes:
  ( Sub bullet points identify alternate attribute names our service will recognise with the preferred option first.)
  • Given Name
    • givenName
    • urn:mace:dir:attribute-def:givenName
    • urn:oid:2.5.4.42
    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
  • Surname
    • sn
    • urn:mace:dir:attribute-def:sn
    • urn:oid:2.5.4.4
    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
  • Email
    • mail
    • urn:mace:dir:attribute-def:mail
    • urn:oid:0.9.2342.19200300.100.1.3
    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • EduPersonPrincipalName, (optional instead of email address).
    • eppn
    • eduPersonPrincipalName
    • urn:mace:dir:attribute-def:eduPersonPrincipalName
    • urn:oid:1.3.6.1.4.1.5923.1.1.1.6

Contacting Turnitin

If you want to enable a Shibboleth/SAML integration then you can contact Turnitin to request set up for your account.

To contact Turnitin, visit our support center to raise a ticket and our team will help you through the setup process.

WAYF-less linking to Turnitin

A WAYF-less link is a direct link to your IdP portal that, on successful authentication, redirects the user back to Turnitin. If you wish to obtain a WAYF-less link, please contact you Customer Success Representative. This style of linking to Turnitin's service may be preferable where students access services through a standard portal your institution sets up. You can embed the link anywhere you want users to launch into Turnitin.

Attributes

The following attributes are required when adding a student through the Turnitin Shibboleth integration:

• mail: This is an email address which will be used as the user's username.

• eduPersonTargetedID (eptid) OR eduPersonPrincipalName (eppn): Either of these attributes can be used to identify users.

  • Turnitin prefers to use "eptid" so if both attributes are provided to us, "eptid" will be used.

  If the eppn attribute is used, it should not be recycled for use by other users as this will provide complete access to the previous user's submissions and grades.

• givenName AND sn: These fields will be used as the user's given name and surname. If these fields are not provided, the user will be prompted to enter them as a part of their account creation.

  • Optional: Your institution's Turnitin Account ID: If the Account ID attribute is omitted, Turnitin uses the Account ID of the account that matches the IdP responsible for initiating the request.

If we do not recognize the IdP entityID, or there is possibly more than one account using a given IdP, Turnitin would be unable to accurately determine the account the incoming user belongs to.

The attributes that are required when adding a student through the Turnitin Shibboleth integration are also required for an instructor, with the addition of:

• eduPersonEntitlement: This must be set to "http://shibboleth.turnitin.com/instructorEntitlement" in order to create the user as a new instructor.

  • If the entitlement is not passed to Turnitin, all new users will be put through the student user creation flow.

  • Your Turnitin Shibboleth integration must be set to use instructor entitlements to create new instructors through Shibboleth.

  • If instructor entitlements are enabled, this attribute must be passed every time the instructor authentication ticket is sent to Turnitin or the user will lose instructor access to your institution’s account.

Instructor entitlements

Instructor entitlements provide a way to manage which users have instructor access to your Turnitin account through Shibboleth.

If the instructor entitlements feature has been enabled, the eduPersonEntitlement must be sent with a particular value each time an instructor is passed through Shibboleth to Turnitin. The 'eduPersonEntitlement' value must be set to the precise string of: http://shibboleth.turnitin.com/instructorEntitlement.

If your account is configured to enforce the 'eduPersonEntitlement` AND the attribute is not passed, the user’s instructor privileges will be revoked.

User creation

New students

Shibboleth will create a Turnitin student profile for new students that have never previously used Turnitin. In order for a student to join an institutional Turnitin account, they are required to enroll in a class. Any new students that are not yet enrolled in a class will be prompted to enter a class ID and enrollment key, provided by their instructor, when redirected to Turnitin from Shibboleth. Without a class ID and enrollment key, the student will be unable to use Turnitin.

New instructors

In order to create new instructor users through Shibboleth, your Turnitin Shibboleth integration must have instructor entitlements enabled. If your Shibboleth integration is not set to use instructor entitlements, instructors must be added to the account directly within the Turnitin administrator user interface.

Existing instructors and students

Instructors and students that have used Turnitin directly through the Turnitin website, another Shibboleth integration instance or through an integration with an LMS in the past are existing users. Existing instructor and student accounts must be mapped to the appropriate user within Shibboleth, which occurs when users log into Turnitin using Shibboleth. Provided that the `mail` attribute and the Turnitin username (email address) are identical, the external user identity (in the IdP) and the local service provider identity (within Turnitin) will be mapped.

Logging in

New users

Once the users' attributes are sent, they will be able to log into Turnitin through Shibboleth by doing the following:

1. Go to the Turnitin URL for the Shibboleth federation the user's institution is a member of (see the list of Shibboleth Federation URLs for Turnitin below).

2. Select the user's institution from the institution list.

3. Click "Next"

4. Sign in to the institution's IdP login portal (successful login should pass the user into Turnitin).

5. Review and agree to the Turnitin End User License Agreement.

6. Review and submit the user profile information (if `givenName` and `sn` were not passed, the user will be prompted to fill out those fields in order to complete their profile).

   Students will now be asked to enroll into a class using a class ID and enrollment key. Without a class ID and enrollment key, the student will be unable to use Turnitin.

7. The user creation is complete and they can begin using Turnitin

Existing users

Once the users' attributes are sent, they will be able to set their account mapping and log into Turnitin through Shibboleth by doing the following:

1. Go to the Turnitin URL for the Shibboleth federation the user's institution is a member of (see the list of Shibboleth Federation URLs for Turnitin below)

2. Select the user's institution from the list provided

3. Click "Next"

4. Sign in to the institution's IdP (successful login should pass the user into Turnitin)

5. The user creation is complete and they can begin using Turnitin

After the instructor or student is added to the account, Turnitin has recorded the mapping to the IdP and any subsequent use of Turnitin automatically authorizes the user. Existing instructors can be added to accounts whether they have instructor entitlements enabled or not. Accounts that are set to have their Turnitin Shibboleth integration set to use instructor entitlements must send the instructor entitlement every time the user logs in through Shibboleth.