Shibboleth, What is it?
For IT Pros This page contains information about Shibboleth, SAML2-compliant single sign-on technology that is available to campus IT Professionals for the protection of their online applications and resources. If you are an end-user, please contact your IT Professional with any questions that you may have about this service.
What is Shibboleth?
For campus users:
Shibboleth is a web-based system that allows you to log in to campus resources with your NetID and Active Directory password.
For IT Professionals:
Shibboleth is an open source, community-supported, SAML2-compliant web single sign-on solution. It’s the basis of our federated single sign-on solution at the University of Illinois. The use of the SAML2 standard makes it easy to plug into many opensource and commercial web applications. Built-in Federation Support makes it ideal when an application needs to be available to users from multiple campuses (or even other institutions).
Shibboleth, as a sign-on technology, is appropriate in the following cases:
- If you run an application that will be federated -- that will be used by students, staff or faculty from other colleges and universities -- Shibboleth will inter-operate with those institutions for easy authentication.
- If your application supports SAML2 out-of-the-box, choosing Shibboleth for web sign-on will save you time and effort.
- If your application requires multi-factor authentication, you should use Shibboleth: Other university web SSOs currently don’t have multi-factor auth in place.
While Shibboleth handles authentication (proving the user is who the user claims), each Shibboleth-protected service will need to make its own decisions about authorization (whether that user is one who is permitted to access this service). See the Authorization and Shibboleth page for more information.
To simplify getting started with Shibboleth, Technology Services offers quick start instructions with sample XML files that can be modified to suit your particular needs.
This page guides you through the full download, installation, configuration, and testing process.
Customized configurations can include:
In an Urbana campus-specific configuration, the service administrator wants to provide access to students, faculty, and staff at only the Urbana campus.
In the University-wide configuration, the service administrator wants to provide access to students, faculty, and staff at any or all of the three University of Illinois campuses, based on one or multiple group or role identities.
In the multi-university configuration, the service administrator wants to provide access to students, faculty, and staff at any of the three University of Illinois campuses as well as students, faculty, and staff at a hypothetical partner University.
This page discusses how to configure Shibboleth for "multiple sign-out," also known as IDP sign-out, so that users who sign out of one Shibboleth-authenticated tab won't lose unsaved work in a differeent Shibboleth-authenticated tab.
More Shibboleth Web Resources
Technology Services' Protecting Your Applications with Shibboleth page provides a deeper look at how Shibboleth operates and how to customize Shibboleth-based authentication for your service's needs.
Shibboleth project wiki (worldwide)
The Shibboleth Project Wiki is an excellent resource for configuration and troubleshooting.
Shibboleth service managers
If you can’t find what you need in other resources, you’re welcome to email the Shibboleth service managers at firstname.lastname@example.org. The Shibboleth community can help when Technology Services can’t. For more information, see Subscribe to the Shibboleth Users list below.
UIUC Shibboleth Announce list
The Shibboleth service managers will try to advise SP operators of important Shibboleth changes through the UIUC Shibboleth Announce list. Anyone who’s an SP administrator in the I-Trust federation registry from the Urbana campus will be added to this list automatically. Others are welcome to subscribe as well.
To sign up, send an email to email@example.com with the text: “subscribe shibboleth-announce” in the message body.
In addition to the UIUC Shibboleth Announce list, we also recommend
you subscribe to the worldwide Shibboleth Announcements mailing list to
learn of advisories directly from the Shibboleth Project Team. In
addition to the announcement list, there are also lists for general
discussion and questions about Shibboleth project development.
For information on subscribing to these mailing lists, see the worldwide Shibboleth Community Mailing Lists page.