Shibboleth, What is it?

For IT Pros This page contains information about Shibboleth, SAML2-compliant single sign-on technology that is available to campus IT Professionals for the protection of their online applications and resources. If you are an end-user, please contact your IT Professional with any questions that you may have about this service.

What is Shibboleth?

For campus users:

Shibboleth is a web-based system that allows you to log in to campus resources with your NetID and NetID password.

For IT Professionals:

Shibboleth is an open source, community-supported, SAML2-compliant web single sign-on solution. It's the basis of our federated single sign-on solution at the University of Illinois. The use of the SAML2 standard makes it easy to plug into many open source and commercial web applications. Built-in Federation Support makes it ideal when an application needs to be available to users from multiple campuses (or even other institutions).

Which Applications Should Use Shibboleth

Shibboleth, as a sign-on technology, is appropriate in the following cases:

  • If you run an application that will be federated - that will be used by students, staff or faculty from other colleges and universities - Shibboleth will inter-operate with those institutions for easy authentication.

    • If you're working with a third party partner that also uses Shibboleth for access control, such as a textbook publisher that could use students' NetIDs to permit access to digital textbooks, see Shibboleth, Federating with external vendors

  • If your application supports SAML2 out-of-the-box, choosing Shibboleth for web sign-on will save you time and effort.

  • If your application requires multi-factor authentication, you should use Shibboleth: Other university web SSOs currently don't have multi-factor auth in place.
Note for web.illinois.edu (cPanel) web hosting customers: The web.illinois.edu server is already set up as a Shibboleth service provider. You won't need to follow these steps to use Shibboleth authentication on a web.illinois.edu-hosted site. Instead, see cPanel, Using Shibboleth to control who can see your website to use Shibboleth on cPanel sites.

Authorization and Shibboleth

While Shibboleth handles authentication (proving the user is who the user claims), each Shibboleth-protected service will need to make its own decisions about authorization (whether that user is one who is permitted to access this service). See the Authorization and Shibboleth page for more information.

Quick Start Scenarios with Sample XML Files

To simplify getting started with Shibboleth, Technology Services offers quick start instructions with sample XML files that can be modified to suit your particular needs.

Quick Start: Setting up a Shibboleth Service Provider

This page guides you through the full download, installation, configuration, and testing process.

Customized configurations can include:

Urbana campus-specific configuration

In an Urbana campus-specific configuration, the service administrator wants to provide access to students, faculty, and staff at only the Urbana campus.

University-wide configuration

In the University-wide configuration, the service administrator wants to provide access to students, faculty, and staff at any or all of the three University of Illinois campuses, based on one or multiple group or role identities.

Multi-University configuration

In the multi-university configuration, the service administrator wants to provide access to students, faculty, and staff at any of the three University of Illinois campuses as well as students, faculty, and staff at a hypothetical partner University.

Setting up Shibboleth logout behavior

This page discusses how to configure Shibboleth for "multiple sign-out," also known as IDP sign-out, so that users who sign out of one Shibboleth-authenticated tab won't lose unsaved work in a different Shibboleth-authenticated tab.

Shibboleth Community Resources

Shibboleth project wiki (worldwide)

The Shibboleth Project Wiki is an excellent resource for configuration and troubleshooting.

Shibboleth service managers

If you can't find what you need in other resources, you're welcome to email the Shibboleth service managers at shibboleth-mgr@illinois.edu. The Shibboleth community can help when Technology Services can't. For more information, see Subscribe to the Shibboleth Users list below.

UIUC Shibboleth Announce list

The Shibboleth service managers will try to advise SP operators of important Shibboleth changes through the UIUC Shibboleth Announce list. Anyone who's an SP administrator in the I-Trust federation registry from the Urbana campus will be added to this list automatically. Others are welcome to subscribe as well. 

To sign up, send an email to lists@lists.illinois.edu with the text: subscribe shibboleth-announce in the message body.

Subscribe to the Shibboleth Users list

In addition to the UIUC Shibboleth Announce list, we also recommend you subscribe to the worldwide Shibboleth Announcements mailing list to learn of advisories directly from the Shibboleth Project Team. In addition to the announcement list, there are also lists for general discussion and questions about Shibboleth project development.

For information on subscribing to these mailing lists, see the worldwide Shibboleth Community Mailing Lists page.