Shibboleth & MyPack Portal Login Steps

After an upgrade to MyPack Portal over the weekend of October 8-9, 2011, the login sequence for the portal has changed in order to incorporate a more secure, affiliation-based login provided by Shibboleth. An explanation of how Shibboleth works, and why NC State is integrating it, follows this description of the new two-step login process:

Step 1: Select your primary campus affiliation – Faculty/Staff/Students or Parents/Guests:

 

Step 2: For Faculty/Staff/Students

Step 2: For Parents/Guests

 

Shibboleth: How it works and why NC State is using it

Shibboleth is an Internet2 sponsored middleware project that has developed an open-source architecture for federated identity-based authentication and authorization. Shibboleth allows authentication from multiple sources, or identity providers. Persons authenticating with Shibboleth select their identity provider – potentially using a where are you from (WAYF) page and then use their credentials for that identity. Shibboleth also allows attributes about an identity to be passed from the identity provider to the service provider.

With Shibboleth, the Portal will no longer directly ‘see’ users’ login credentials. Users will be directed to a secure identity provider page to enter their credentials and only the identity provider will have access to their credentials to the Portal. Using Shibboleth for Portal authentication will improve security of individuals’ login credentials and move Portal authentication to a modern framework that will provide capability to support more sources of identity authentication and position the Portal to be able to deliver attribute based content in the future.

On initially connecting to the Portal, users will select their primary affiliation and will be directed to the appropriated identity provider page to authenticate. There will be a default affiliation of Faculty/Staff/Students. However, rather than entering your username and password on the portal page, the username and password will be entered on a separate identity provider page. For NC State students, faculty, and employees the identity provider page will be like other NC State login screens for accessing protected web content.

The first time NC State users authenticate to the portal using Shibboleth, they will be directed to a second identity provider page after successfully authenticating. This is the uApprove page and shows the user’s attribute information that will be provided about them to the Portal. The user can approve release of this attribute information to the Portal or they can decline to share the attribute information. If they do not share the needed attributes they may not be authorized to access some or all Portal content – since authorization for Portal content access is determined by the identity and the identity attributes passed to the Portal from the identity provider. Subsequent authentications will not display the uApprove page.