Shibboleth, Urbana-specific configuration
For IT Pros This page provides additional information on how to configure your Shibboleth installation in order to restrict access to members of the Urbana campus only.
The desired situation
You want to use Shibboleth to restrict access to members of the Urbana campus, and not allow access by members of other campuses or other universities.
At this point, you should have completed steps 1 through 5 in Shibboleth, Setting up a Service Provider .
This page explains step 6 (configuration) in more detail.
(If you haven't completed steps 6a.1 and 6a.2 yet:)
Open your localized shibboleth2.xml in a text editor and make the following changes.
In the line:
<ApplicationDefaults entityID="https://host.name.illinois.edu/shibboleth" REMOTE_USER="eppn persistent-id targeted-id">
- Replace https://host.name.illinois.edu/shibboleth with the entity ID you chose previously.
In the line:
<Errors supportContact="email@example.com" helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/>
- Replace firstname.lastname@example.org with the appropriate support email address for services on this server.
- Replace /about.html with the path to your help pages.
- Replace /shibboleth-sp/main.css with the path to the CSS file used for your Shibboleth error templates, if any.
Access restrictions and sessionError.html
This copy of shibboleth2.xml is configured to restrict access to members of the Urbana campus only, meaning that if someone tries to log in through a different IDP, the sessionError.html template will be returned to that person. You may want to customize that file to suit your site's look and feel.
Place the localized attribute-map.xml in the same directory as shibboleth2.xml.
(By default, this file contains attribute definitions for all of the attributes supported by the UIUC identity provider, but they’re all commented out.)
Download the iTrust certificate
Download https://discovery.itrust.illinois.edu/itrust-certs/itrust.pem and place it in the same directory as shibboleth2.xml.
eduPerson* is more broadly supported than iTrust*
If you want your application to have the potential to federate with other inCommon SPs, you're likely to want to use eduPerson attributes. (iTrustAffiliation offers more fine-grained values, but eduPersonAffiliation is more widely supported by other IDPs.)
The use of eduPersonPrincipalName is highly recommended for federated applications, while uid is not recommended. That's because two different people can have the same NetID or uid at two different institutions, but when you scope it (email@example.com) to the end of it, the identifier becomes unique.
Uncommenting some of the following attributes can provide information about which unit a person belongs to.
For the Urbana campus, the organizationalUnit represents the staff/faculty home department or the student's primary department.
Limiting something to employees of a department on campus should usually be done by looking for an iTrustAffiliation value of staff and the department's name in organizationalUnit.
Beneath the organizationalUnit comment line, uncomment this attribute:
<Attribute name="urn:oid:18.104.22.168" id="ou"/>
Also uncomment either eduPersonAffiliation (more broadly supported) or iTrustAffiliation (more fine-grained).
<Attribute name="urn:oid:22.214.171.124.4.1.59126.96.36.199.1" id="unscoped-affiliation"> <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/> </Attribute>
- For faculty, staff, and employees, the iTrust Affiliation value will be "employee".
- For students, the iTrustAffiliation value will be "student"
<Attribute name="urn:oid:188.8.131.52.4.1.11483.101.1" id="iTrustAffiliation"/>
- For faculty, staff, and employees, the iTrust Affiliation value will be "staff".
- For students, the iTrustAffiliation value will be "student".
Next, continue from step 7 (restart and registration) in Shibboleth, Setting up a Service Provider .