For IT Pros This page provides additional information on how to configure your Shibboleth installation in order to restrict access to members of the Urbana campus only.
You want to use Shibboleth to restrict access to members of the Urbana campus, and not allow access by members of other campuses or other universities.
At this point, you should have completed steps 1 through 5 in Shibboleth, Setting up a Service Provider .
This page explains step 6 (configuration) in more detail.
(If you haven't completed steps 6a.1 and 6a.2 yet:)
Open your localized shibboleth2.xml in a text editor and make the following changes.
In the line:
<ApplicationDefaults entityID="https://host.name.illinois.edu/shibboleth" REMOTE_USER="eppn persistent-id targeted-id">
In the line:
<Errors supportContact="someone@somewhere.com" helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/>
This copy of shibboleth2.xml is configured to restrict access to members of the Urbana campus only, meaning that if someone tries to log in through a different IDP, the sessionError.html template will be returned to that person. You may want to customize that file to suit your site's look and feel.
Place the localized attribute-map.xml in the same directory as shibboleth2.xml.
(By default, this file contains attribute definitions for all of the attributes supported by the UIUC identity provider, but they’re all commented out.)
Download https://md.itrust.illinois.edu/itrust-certs/itrust.pem and place it in the same directory as shibboleth2.xml.
If you want your application to have the potential to federate with other inCommon SPs, you're likely to want to use eduPerson attributes. (iTrustAffiliation offers more fine-grained values, but eduPersonAffiliation is more widely supported by other IDPs.)
The use of eduPersonPrincipalName is highly recommended for federated applications, while uid is not recommended. That's because two different people can have the same NetID or uid at two different institutions, but when you scope it (add@campus.edu) to the end of it, the identifier becomes unique.
Uncommenting some of the following attributes can provide information about which unit a person belongs to.
For the Urbana campus, the organizationalUnit represents the staff/faculty home department or the student's primary department.
Limiting something to employees of a department on campus should usually be done by looking for an iTrustAffiliation value of staff and the department's name in organizationalUnit.
Beneath the organizationalUnit comment line, uncomment this attribute:
<Attribute name="urn:oid:2.5.4.11" id="ou"/>
Also uncomment either eduPersonAffiliation (more broadly supported) or iTrustAffiliation (more fine-grained).
eduPersonAffiliation information:
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation"> <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/> </Attribute>
iTrustAffiliation information:
<Attribute name="urn:oid:1.3.6.1.4.1.11483.101.1" id="iTrustAffiliation"/>
Next, continue from step 7 (restart and registration) in Shibboleth, Setting up a Service Provider .