Shibboleth, Federating with external vendors

For IT Pros. If you wish to use Shibboleth federation so that people can use their NetID and password to log in to third party vendors (such as a textbook publisher or other online service provider), you'll need to gather the following information.

The desired situation

You want to use Shibboleth to securely authenticate people to a third party service provider, so that University people are allowed to use their NetIDs and passwords to access appropriate access to online resources without needing to create separate accounts in the third party system. (A common example involves access to online course materials provided by a textbook publisher.)

If the vendor is a member of the InCommon federation, the process will be simpler than if they don't, but it's still possible to make the connection work.

Before you start

If the vendor has not done business with the University before, you must fill out a Vendor Risk Assessment form here.

What to tell the vendor

The University of Illinois is a member of InCommon. The following default attributes are released to Service Providers in InCommon:
- eduPersonPrincipalName
  - SAML Name: urn:oid:1.3.6.1.4.1.5923.1.1.1.6
  - Example: NetID@illinois.edu
- mail
  - SAML Name: urn:oid:0.9.2342.19200300.100.1.3
  - Example: NetID@illinois.edu
- eduPersonScopedAffiliation
  - SAML Name: urn:oid:1.3.6.1.4.1.5923.1.1.1.9
  - Example: faculty@illinois.edu
- eduPersonTargetedID
  - SAML Name: urn:oid:1.3.6.1.4.1.5923.1.1.1.10
  - Example: Persistent identifier
- givenName
  - SAML Name: urn:oid:2.5.4.42
  - Example: first name, ex: john
- sn
  - SAML Name: urn:oid:2.5.4.4
  - Example: surname/last name, ex: doe
- displayName
  - SAML Name: urn:oid:2.16.840.1.113730.3.1.241
  - Example: John Doe

Our entity ID is urn:mace:incommon:uiuc.edu.
- Note: We strongly prefer vendors to take our metadata from InCommon directly. While it is possible to get our metadata from https://mdq.incommon.org/entities/urn:mace:incommon:uiuc.edu instead, consuming metadata from the local URL has known risks.

If the vendor can't accept XML metadata from our campus IDP, they may ask for a "single sign on URL" or a "login URL."
They will need three pieces of information:
- Either the POST or the redirect form of the login URL:
  - POST: https://shibboleth.illinois.edu/idp/profile/SAML2/POST/SSO
  - Redirect: https://shibboleth.illinois.edu/idp/profile/SAML2/Redirect/SSO
- The logout URL:
  - https://shibboleth.illinois.edu/idp/profile/Logout
- The X509 certificate file:
  - idp-signing.txt

Ask the vendor for this connection information:

What name identifier format does your service require from our campus Identity Provider?

The vendor may need a name identifier in the form of an email address, a persistent value (such as an encrypted version of the person's UIN), or a transient value (such as a random unique number used for this particular system). The transient value is recommended when possible.

What other attributes does your service require from our campus Identity Provider?

Other information such as first and last name, email address, or affiliation with the University may be relevant to providing resources to particular individuals.

Do you accept encrypted assertions?

We prefer to use encrypted assertions, but if unencrypted assertions are necessary, please contact shibboleth-mgr@illinois.edu to make arrangements.

Are you a member of InCommon?
- If so:
  - What is your Entity ID?
- If not:
  - How do we obtain your service provider metadata?
    - This will be an XML document that describes how our campus Shibboleth identity provider communicates with the vendor.
    - If the vendor does not have a document like this, you'll need to ask them the following three questions.
- If you don't have either InCommon membership or a service provider metadata XML document:
  - What is your Entity ID?
  - What is your assertion consumer service endpoint?
    - This is the URL to which we should send our assertion from the IDP.
  - What are your X509 SAML certificates?
    - These are the certificates used for signing and encryption. They're different from an SSL certificate protecting a website.

Give the vendor's information to shibboleth-mgr

After you've exchanged this information with the vendor, send this information to shibboleth-mgr@illinois.edu so that we can configure our campus IDP to communicate with the vendor's service.

Keywords	Shibboleth, InCommon, metadata, IDP, entity ID, SP, Federation, vendors, third party, SAML Suggest keywords	Doc ID	80927
Owner	Identity and Access Management	Group	University of Illinois Technology Services
Created	2018-03-15 09:45:13	Updated	2023-07-24 08:17:45
Sites	University of Illinois Technology Services
Feedback	3 0 Comment Suggest a new document Subscribe to changes