Shibboleth, University of Illinois-specific configuration
For IT Pros This page provides additional information on how to configure your Shibboleth installation in order to restrict access to members of the University of Illinois.
The desired situation
You want to use Shibboleth to restrict access to members of the University of Illinois, and not allow access by members of other universities.
At this point, you should have completed steps 1 through 5 in Shibboleth, Setting up a Service Provider .
This page explains step 6 (configuration) in more detail.
(If you haven't completed steps 6a.1 and 6a.2 yet:)
Open your localized shibboleth2.xml in a text editor and make the following changes.
In the line:
<ApplicationDefaults entityID="https://host.name.illinois.edu/shibboleth" REMOTE_USER="eppn persistent-id targeted-id">:
- Replace https://host.name.illinois.edu/shibboleth with the entity ID you chose previously.
In the line:
<Errors supportContact="email@example.com" helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/>
- Replace firstname.lastname@example.org with the appropriate support email address for services on this server.
- Replace /about.html with the path to your help pages.
- Replace /shibboleth-sp/main.css with the path to the CSS file used for your Shibboleth error templates, if any.
In the section that says:
<!-- Below setting will use Urbana campus IDP only. --> <SSO entityID="urn:mace:incommon:uiuc.edu" discoveryProtocol="SAMLDS" discoveryURL="">
- Remove the comment about the Urbana campus IDP, since you'll change that to include the entire University.
- Remove the URN of the entityID, but leave the quotation marks. The text will become:
- Add the Illinois discovery service between the quotes in discoveryURL. The text will become:
In the metadata filter section that says:
<MetadataFilter type="Whitelist"> <Include>urn:mace:incommon:uiuc.edu</Include> </MetadataFilter>
The default configuration includes only the Urbana campus. In order to add the Springfield and Chicago campuses, you should add the following two lines before the closing of the MetadataFilter tag:
Access restrictions and sessionError.html
This copy of shibboleth2.xml is configured to restrict access to members of the University of Illinois, meaning that if someone tries to log in through a different IDP, the sessionError.html template will be returned to that person. You may want to customize that file to suit your site's look and feel.
Place the localized attribute-map.xml in the same directory as shibboleth2.xml.
(By default, this file contains attribute definitions for all of the attributes supported by the UIUC identity provider, but they’re all commented out.)
If you want to determine which of the three campuses a person belongs to, you'll be interested in the eduPersonPrincipalName attribute.
The use of eduPersonPrincipalName is highly recommended for federated applications, while uid is not recommended. That's because two different people can have the same NetID or uid at two different institutions, but when you scope it (email@example.com) to the end of it, the identifier becomes unique.
Download the iTrust certificate
Download https://discovery.itrust.illinois.edu/itrust-certs/itrust.pem and place it in the same directory as shibboleth2.xml.
This certificate is used to sign the I-Trust metadata. The signature validation metadata filter in your shibboleth2.xml references this file and tells Shibboleth to validate the signature on the I-Trust metadata whenever it downloads a new version.
Next, continue from step 7 (restart and registration) in Shibboleth, Setting up a Service Provider .