Shibboleth

About

The Shibboleth® System is a standards based, open source software package for web single sign-on across or within Shibboleth Logoorganizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.

The Shibboleth software implements widely used federated identity standards, principally OASIS' Security Assertion Markup Language (SAML), to provide a federated single sign-on and attribute exchange framework. Shibboleth also provides extended privacy functionality allowing the browser user and their home site to control the attributes released to each application. Using Shibboleth-enabled access simplifies management of identity and permissions for organizations supporting users and applications. Shibboleth is developed in an open and participatory environment, is freely available, and is released under the Apache Software License. (Internet2-Middleware Initiative)

 

Shibboleth Login Page  *Do NOT Bookmark this page!

Shibboleth Login  Screen

The Shibboleth login page shows up in your browser after you select "login" at a Shibboleth protected web service.  Some services require you to select the federation type (Higher Education) and Institution (North Carolina State University) prior to being redirected to this page.  The Shibboleth Login page is run by NC State and accepts your UnityID and password to log you in or "authenticate" you. Once you successfully login you may see the Digital ID Card (below) - at least the first time you go to a web site.  After that, you are sent back to the service you were attempting to access (for example - Google Apps for Education or another site in one of the Identity Federations in which NC State participates).  DO NOT BOOKMARK this page.  The Shibboleth login page ONLY works if you are sent to it by a web service or application.  It requires information from the originating web service to know where to go after you log in.  You should bookmark the site you are trying to access (gmail.ncsu.edu for example) rather than the Shibboleth Login Page.

 

Digital ID Card (uApprove)

uApprove Digital ID Card

uApprove is an application developed by the Swiss for their rollout of Shibboleth.  It displays a "Digital ID Card" that lists the attributes or personal data that Shibboleth is about to release to the application or service you are attempting to access.  You have the option to refuse releasing this data by choosing "Cancel", however, you most likely will not be allowed to access the web site or application.  By choosing "Confirm" the information shown on the screen will be released to the web application so that it can determine whether to allow you access.  Some applications only need to know that you're a "member" of the university.  Other applications might need to know that you're a "Student" or for some NC State applications your UnityID or whether you're enrolled in a particular class.  Currently, the Digital ID Card is displayed the first time you access a Shibboleth-enabled web site.  Once you confirm the release of your information to the site, it will not be displayed again - unless the information being requested changes.

NC State's Attribute Release Policy (ARP) [.pdf]This link will open in a new window

(Approved by the IAM Oversight Committee - April 20, 2010) This link will open in a new window

 

Configuring a Service Provider (SP) at NC State

Instructions on how to setup and configure a Shibboleth Service Provider to protect a web application or service can be found at:   http://xteams.oit.ncsu.edu/iso/shibboleth/sp-setupThis link will open in a new window

Requesting Service Provider Access to NC State's Identity Provider Infrastructure

In order for your service provider to access the University’s Identity Provider infrastructure, you must complete the online form located at:
 
go.ncsu.edu/shib-access-request 

NC State's Shibboleth Identity Provider service is a member of InCommon's Research and Scholarship Service Category.  If your service provider is a member of this category (see https://incommon.org/federation/info/all-sp-categories.html), you do not need to submit this form for Service Provider Onboarding.
 
Otherwise, this form must be completed by a member of the NC State community.  If the service provider is being provided by a third-party, please obtain appropriate answers to relevant questions from the SP organizations technical staff.
 
Once the form is completed and submitted, it will be reviewed by staff in OIT;  
 
  • Technical staff will perform an initial review of the request.  If the details are technically sound, they will pass it on to,
  • The Security and Compliance staff.  They will review the attributes requested and inform the appropriate date custodian(s) of your request and gain their approval.  It is important that justifications for each attribute requested be provided.  Any attributes requested that are outside the scope of the Attribute Release Policy will be addressed during this phase.
  • Finally, once all attribute issues (if any) are resolved, the technical staff will then work with you and/or your third-party partner to test and implement your metadata with our Identity Provider servers.

 

 

 

Links

Shibboleth Home (Internet2)
SWITCH (Shibboleth Site for Switzerland's Higher Ed Community)

Documents

Shibboleth and Federated Identity Management - Lunch & Learn Oct. 5, 2009 (.pdf)This link will open in a new window 
InCommon Membership Announcement (.pdf)This link will open in a new window 
This link will open in a new window
This link will open in a new window
7 Things You Should Know About Federated Identity ManagementThis link will open in a new window (EDUCAUSE, Sep-09)
Shibboleth Info SheetThis link will open in a new window (Internet2 Middleware Initiative) 

Federations

NC State University has joined the InCommon Federation as of January, 2009.  MembershipInCommon Logo in InCommon will allow campus members to access services provided by Federation Service Providers.  More information on  our membership in InCommon is available hereThis link will open in a new window.

InCommon Participant Operational Practices (POP)

Current Version - May 2011 - [.pdf]This link will open in a new window


Jan 2009 Version - [.pdf]This link will open in a new window