The Shibboleth® System is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.
The Shibboleth software implements widely used federated identity standards, principally OASIS’ Security Assertion Markup Language (SAML), to provide a federated single sign-on and attribute exchange framework. Shibboleth also provides extended privacy functionality allowing the browser user and their home site to control the attributes released to each application. Using Shibboleth-enabled access simplifies management of identity and permissions for organizations supporting users and applications. Shibboleth is developed in an open and participatory environment, is freely available, and is released under the Apache Software License (Internet2-Middleware Initiative).
Shibboleth Login Page *Do NOT Bookmark this page!
The Shibboleth login page shows up in your browser after you select “login” at a Shibboleth protected web service. Some services require you to select the federation type (Higher Education) and Institution (North Carolina State University) prior to being redirected to this page. The Shibboleth Login page is run by NC State and accepts your Unity ID and password to log you in or “authenticate” you. Once you successfully log in you may see the Digital ID Card (below) – at least the first time you go to a website. After that, you are sent back to the service you were attempting to access (for example – Google Apps for Education or another site in one of the Identity Federations in which NC State participates). DO NOT BOOKMARK this login page. The Shibboleth login page works ONLY if you are sent to it by a web service or application. It requires information from the originating web service to know where to go after you log in. You should bookmark the site you are trying to access (mypack.ncsu.edu for example) rather than the Shibboleth Login Page.
uApprove is an application developed by the Swiss for their rollout of Shibboleth. It displays a “Digital ID Card” that lists the attributes or personal data that Shibboleth is about to release to the application or service you are attempting to access. You have the option to refuse releasing this data by choosing “Cancel;” however, you most likely will not be allowed to access the website or application. By choosing “Confirm” the information shown on the screen will be released to the web application so that it can determine whether to allow you access. Some applications need to know only that you’re a “member” of the university. Other applications might need to know that you’re a “Student” or for some NC State applications your Unity ID or whether you’re enrolled in a particular class. Currently, the Digital ID Card is displayed the first time you access a Shibboleth-enabled website. Once you confirm the release of your information to the site, it will not be displayed again – unless the information being requested changes.
- NC State’s Attribute Release Policy (ARP) (.pdf)
(Approved by the IAM Oversight Committee – April 20, 2010)
Configuring a Service Provider (SP) at NC State
For instructions on how to set up and configure a Shibboleth Service Provider to protect a Web application or service, see:
NC State Shibboleth – Technical Documentation
Requesting Service Provider Access to NC State’s Identity Provider Infrastructure
NC State’s Shibboleth Identity Provider service is a member of InCommon’s Research and Scholarship Service Category. If your service provider is a member of this category (see InCommon Entity Categories), you do not need to submit this form for Service Provider Onboarding.
Otherwise, this form must be completed by a member of the NC State community. If the service provider is being provided by a third-party, please obtain appropriate answers to relevant questions from the technical staff of the service provider organization.
Once the form is completed and submitted, it will be reviewed by staff in OIT;
- Technical staff will perform an initial review of the request. If the details are technically sound, they will pass it on to:
- The Security and Compliance staff.
They will review the attributes requested and inform the appropriate date custodian(s) of your request and gain their approval. It is important that justifications for each attribute requested be provided. Any attributes requested that are outside the scope of the Attribute Release Policy will be addressed during this phase.
- Finally, once all attribute issues (if any) are resolved, the technical staff will then work with you and/or your third-party partner to test and implement your metadata with our Identity Provider servers.
- Shibboleth and Federated Identity Management Lunch & Learn Oct. 5, 2009 (.pdf)
- InCommon Membership Announcement (PDF)
- Seven Things You Should Know About Federated Identity Management (EDUCAUSE, Sep 2009)
- Shibboleth info sheet (Internet2 Middleware Initiative)
NC State University has joined the InCommon Federation as of January, 2009. Membership in InCommon will allow campus members to access services provided by Federation Service Providers. See NC State’s Membership in the InCommon Federation.