Single Sign-On (SSO)

Service Provider outside ZID

For security reasons (e. g. due to phishing), IT Services is continuously expanding the use of single sign-on (log on once and be identified in every connected system) or single sign-in (log on to the same - known - page for every system) for the central web-based systems; users should only enter their password in one place and react very attentively if they are asked to enter their password on other pages.
Although we are also aware of the risks - for example, there is no uniform solution for a "single log-out" and the individual systems can have valid sessions of different lengths (i. e. in one system you might stay logged in for 8 hours and in another only 2) - we have decided on this variant and in the final development there should be only this solution for central services - as far as technically possible - which is also used for federated services (e. g. ordering email certificates, participating in the ubook offer or logging in to eduGAIN services.

Our central services will leave the sessions open for 9 hours, only after that a new login will be forced, other systems can - as mentioned above - also set other times or force a new login (i. e. single sign-in) at all, we cannot influence that centrally.

Implemented is SSO for with Shibboleth (an extension of the SAML standard) and for with OpenID Connect (an extension of OAuth2), whereby in both cases the "mobile phone signature" was integrated, and so each connected system also automatically can implement a 2-factor authentication, which significantly increases the security e. g. when entering via foreign or insecure computers.
However, since - if you are logged in to one tab, in other tabs - you can enter all SSO applications without logging in, it is strongly recommended to take one of the following measures when leaving the computer without shutting it down:

  • Activate screen lock (with secure password).
  • Log off.
    If you are not sure if the logout is only local: call (see below).
  • Close browser.


All web applications are called directly as before - regardless of whether they are integrated into the SSO system or not. So the SSO page itself never has to be called directly, the participating web applications redirect to the SSO page if required and this - after checking the authentication - redirects back to the desired web application.
In other words: There is no central login page where you log in e. g. in the morning. Only if an authentication is really necessary, you will then be redirected to one of our SSO pages ( / - the two systems are currently completely independent, i. e. a logout in one system does not cause a logout in the other system, even only works on systems where you have logged in via!) and after logging in (or if you are already logged in: immediately) you are redirected back to the calling system. Depending on the system you will be asked if you agree that the requesting site may receive the requested information.
You can withdraw this consent later.

The application then checks whether you are authorized to use the application.

For SSO (if you do not use the mobile phone signature) always use the TU Graz password, not the network access password!

Central systems (still) without SSO

  • - die Anmeldeseite für Office 365 ProPlus
  • - Online-Katalog der Bibliothek
  • - das Git-System (Versionskontrolle) der TU Graz
  • - VPN-Lösung für Institute der TU Graz
  • - das RDS-System (Terminal Service) der TU Graz
  • - OpenSource Mathematik-Software
  • - das Subversion-System der TU Graz

If you know a web-based system that is not secured by SSO and that is not in this list, but that asks you for the TU Graz password: Please do not enter your access data, it could be a phishing site.
Please report such systems to us: Even if they are not phishing sites, question why they do not switch to SSO or why the site is not listed here!

Logout - Single log-out (SLO)

Service Provider outside of ZID