Setting up SSO for Turnitin Feedback Studio and Originality Check

Enabling Clever SSO for Turnitin

To enable Clever single sign-on (SSO) for your Turnitin account, the District Admin of your Clever account must first configure Turnitin in your Clever dashboard.

1. As the Clever District Admin, access your Districts’ Clever portal.
2. Search for the Turnitin application in the portal search.
3. Select Request App to request access to the Turnitin application.

This will send Turnitin your request. You will be notified when it has been processed.

Once the request has been accepted by Turnitin, and further settings have been configured within Clever by the District Admin, users will be able to log in to Turnitin from within the Clever portal and from Turnitin’s login page.

For more information on enabling applications within Clever, please read the Clever documentation.

Enabling MPASS SSO for Turnitin

Turnitin provides Single Sign-On (SSO) support through a custom authentication integration with MPASS.

Getting set up

If you would like to set up MPASS SSO for your account, you must contact Turnitin.

To contact Turnitin, visit our help center to raise a ticket and our team will help you through the setup process.

Once configured, it is up to your institution to set up a method of logging in. The MPASS guidance (Finnish) will assist you in this task.

Enabling ClassLink SSO for Turnitin

Turnitin provides Single Sign-On (SSO) support through a custom authentication integration with ClassLink.

Getting set up

In order to use Turnitin’s ClassLink SSO integration, visit our help center to raise a ticket and our team will help you through the setup process.

Logging in using ClassLink SSO

Once your account has been configured for ClassLink SSO, your ClassLink administrator must configure the Turnitin application from within ClassLink. To learn more about how to do this, please refer to the ClassLink support documentation.

Once Single Sign-On has been successfully configured for both your Turnitin and ClassLink accounts, log in by selecting the Turnitin Login button in the launchpad area of your ClassLink account.

This will take you through to your Turnitin account.

Enabling Shibboleth for Turnitin

Turnitin provides SAML based Single Sign-On (SSO) support through a custom authentication integration with Shibboleth facilitating 'Service Provider Initiated' login. Following setup, Turnitin will provide a SSO login URL, (WAYF-less URL) which directs the user to the Turnitin Service they want to access. The following guide is intended for technical administrators of your IdP.

Getting started

In order to use Turnitin’s Shibboleth integration, you must first contact Turnitin support and request the configuration of Shibboleth for your account.

To help Turnitin configure Shibboleth for your account we will need certain information about your institution. The required information depends on whether your institution is a member of a supported Shibboleth federation.

The supported Shibboleth federations are:

• AAF Federation (Australia)
• AAI@EduHr (Croatia)
• DFN-AAI (Germany)
• EduGain (via InCommon)
• Feide Federation
• GakuNin (Japan)
• Haka Federation (Finland)
• IDEM (Italy)
• InCommon
• Porto Federation (Portugal)
• SURFConext Federation (Netherlands)
• SWAMID (Sweden)
• SWITCH (Switzerland/Europe)
• UK federation

If you are a member of one of the supported Shibboleth federations, our support team will ask for the following information to enable your Shibboleth integration on Turnitin’s side:

• The entity id (entityID) of your Shibboleth Identity Provider. If you have more than one IdP, please provide information for all you plan to use with Turnitin.
  • This is typically a URL or URN format string, like `https://my-production-shib.thing.edu` or `urn:mace:incommon:thing.edu`.

• A decision on whether you would like to use instructor entitlements

  • Choosing to use instructor entitlements will allow you to grant and revoke instructor access to users through Shibboleth. More information about entitlements can be found below.

If you are not a member of a supported Shibboleth federation then please provide the following details:

• Your IDP metadata URL.
  • This is a URL that links to an XML document that contains required information for authenticating with an Identity Provider.
• Confirmation that your IDP is sending the following required attributes:
  ( Sub bullet points identify alternate attribute names our service will recognise with the preferred option first.)
  • Given Name
    • givenName
    • urn:mace:dir:attribute-def:givenName
    • urn:oid:2.5.4.42
    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
  • Surname
    • sn
    • urn:mace:dir:attribute-def:sn
    • urn:oid:2.5.4.4
    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
  • Email
    • mail
    • urn:mace:dir:attribute-def:mail
    • urn:oid:0.9.2342.19200300.100.1.3
    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • EduPersonPrincipalName, (optional instead of email address).
    • eppn
    • eduPersonPrincipalName
    • urn:mace:dir:attribute-def:eduPersonPrincipalName
    • urn:oid:1.3.6.1.4.1.5923.1.1.1.6

Contacting Turnitin

If you want to enable a Shibboleth/SAML integration then you can contact Turnitin to request set up for your account.

To contact Turnitin, visit our help center to raise a ticket and our team will help you through the setup process.

WAYF-less linking to Turnitin

A WAYF-less link is a direct link to your IdP portal that, on successful authentication, redirects the user back to Turnitin. If you wish to obtain a WAYF-less link, please contact you Customer Success Representative. This style of linking to Turnitin's service may be preferable where students access services through a standard portal your institution sets up. You can embed the link anywhere you want users to launch into Turnitin.

Attributes

The following attributes are required when adding a student through the Turnitin Shibboleth integration:

• mail: This is an email address which will be used as the user's username.

• eduPersonTargetedID (eptid) OR eduPersonPrincipalName (eppn): Either of these attributes can be used to identify users.

  • Turnitin prefers to use "eptid" so if both attributes are provided to us, "eptid" will be used.

  If the eppn attribute is used, it should not be recycled for use by other users as this will provide complete access to the previous user's submissions and grades.

• givenName AND sn: These fields will be used as the user's given name and surname. If these fields are not provided, the user will be prompted to enter them as a part of their account creation.

  • Optional: Your institution's Turnitin Account ID: If the Account ID attribute is omitted, Turnitin uses the Account ID of the account that matches the IdP responsible for initiating the request.

The attributes that are required when adding a student through the Turnitin Shibboleth integration are also required for an instructor, with the addition of:

• eduPersonEntitlement: This must be set to "http://shibboleth.turnitin.com/instructorEntitlement" in order to create the user as a new instructor.

  • If the entitlement is not passed to Turnitin, all new users will be put through the student user creation flow.

  • Your Turnitin Shibboleth integration must be set to use instructor entitlements to create new instructors through Shibboleth.

  • If instructor entitlements are enabled, this attribute must be passed every time the instructor authentication ticket is sent to Turnitin or the user will lose instructor access to your institution’s account.

Instructor entitlements 

Instructor entitlements provide a way to manage which users have instructor access to your Turnitin account through Shibboleth.

If the instructor entitlements feature has been enabled, the eduPersonEntitlement must be sent with a particular value each time an instructor is passed through Shibboleth to Turnitin. The 'eduPersonEntitlement' value must be set to the precise string of: http://shibboleth.turnitin.com/instructorEntitlement.

If your account is configured to enforce the 'eduPersonEntitlement` AND the attribute is not passed, the user’s instructor privileges will be revoked.

User creation

New students

Shibboleth will create a Turnitin student profile for new students that have never previously used Turnitin. In order for a student to join an institutional Turnitin account, they are required to enroll in a class. Any new students that are not yet enrolled in a class will be prompted to enter a class ID and enrollment key, provided by their instructor, when redirected to Turnitin from Shibboleth. Without a class ID and enrollment key, the student will be unable to use Turnitin.

New instructors

In order to create new instructor users through Shibboleth, your Turnitin Shibboleth integration must have instructor entitlements enabled. If your Shibboleth integration is not set to use instructor entitlements, instructors must be added to the account directly within the Turnitin administrator user interface.

Existing instructors and students

Instructors and students that have used Turnitin directly through the Turnitin website, another Shibboleth integration instance or through an integration with an LMS in the past are existing users. Existing instructor and student accounts must be mapped to the appropriate user within Shibboleth, which occurs when users log into Turnitin using Shibboleth. Provided that the `mail` attribute and the Turnitin username (email address) are identical, the external user identity (in the IdP) and the local service provider identity (within Turnitin) will be mapped.

Logging in

New users

Once the users' attributes are sent, they will be able to log into Turnitin through Shibboleth by doing the following:

1. Go to the Turnitin URL for the Shibboleth federation the user's institution is a member of (see the list of Shibboleth Federation URLs for Turnitin below).

2. Select the user's institution from the institution list.

3. Click "Next"

4. Sign in to the institution's IdP login portal (successful login should pass the user into Turnitin).

5. Review and agree to the Turnitin End User License Agreement.

6. Review and submit the user profile information (if `givenName` and `sn` were not passed, the user will be prompted to fill out those fields in order to complete their profile).

   Students will now be asked to enroll into a class using a class ID and enrollment key. Without a class ID and enrollment key, the student will be unable to use Turnitin.

7. The user creation is complete and they can begin using Turnitin

Existing users

Once the users' attributes are sent, they will be able to set their account mapping and log into Turnitin through Shibboleth by doing the following:

1. Go to the Turnitin URL for the Shibboleth federation the user's institution is a member of (see the list of Shibboleth Federation URLs for Turnitin below)

2. Select the user's institution from the list provided

3. Click "Next"

4. Sign in to the institution's IdP (successful login should pass the user into Turnitin)

5. The user creation is complete and they can begin using Turnitin