Shibboleth

About Shibboleth

Shibboleth Logo

  • The Shibboleth® System is a standards based, open source software package for web single sign-on, across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access to protected online resources in a privacy-preserving manner.
  • The Shibboleth software implements widely used federated identity standards, principally OASIS’ Security Assertion Markup Language (SAML), to provide a federated single sign-on and attribute exchange framework.
  • Shibboleth also provides extended privacy functionality allowing the browser user and their home site to control the attributes released to each application.
  • Using Shibboleth-enabled access simplifies management of identity and permissions for organizations supporting users and applications.
  • Shibboleth is developed in an open and participatory environment, is freely available, and is released under the Apache Software License (Internet2-Middleware Initiative).

 

Shibboleth Login Page  *Do NOT Bookmark this page!

Here’s how a Shibboleth login works:

  1. When you are on a page for a Shibboleth-protected web service or application, select “Login.”
    The Shibboleth Login Service page (Figure 1) shows up in your browser.

    Figure 1. Shibboleth Login Service page
    Before you are redirected to this login page, some services will first require you to select the federation type (Higher Education) and institution (North Carolina State University).
    The Shibboleth Login Service page is run by NC State and accepts your Unity ID and password to log you in or “authenticate” you.
  2. Once you successfully log in, you may see the Attribute Release List (Figure 2) — at least the first time you go to a website.
  3. After that, you are sent back to the web service or application you were attempting to access (e.g., Google Workspace at NC State, other site in one of the Identity Federations in which NC State participates).

DO NOT BOOKMARK the Shibboleth Login Service page.

  • The Shibboleth Login Service page works ONLY if you are sent to it by a web service or application.
  • It must have information from that originating web service or application; otherwise, it cannot send you there after you log in.
  • Bookmark the web service or application you are trying to access (e.g., mypack.ncsu.edu), NOT the Shibboleth Login Service page.

Attribute Release

  • It displays a “Attribute Release List” (Figure 2) that lists the attributes or personal data that Shibboleth is about to release to the application or service you are attempting to access.
    Screenshot of the information release page
    Figure 2. “Attribute Release List” page
  • You have the option to refuse releasing this data by choosing “Cancel.”
    However, if you do, you most likely will not be allowed to access the application or service.
  • If you choose “Confirm,” the information shown on the screen will be released to the web application so that it can determine whether to allow you access.
    • Some applications need to know only that you’re a “member” of the university.
    • Some applications might need to know that you’re a “Student.”
    • Some NC State applications will need your Unity ID or whether you’re enrolled in a particular class.
  • Currently, when you access a Shibboleth-enabled application or service for the first time, the Attribute Release List (Figure 2) is displayed.
  • Once you confirm the release of your information, it will not be displayed again — unless the information being requested changes.

NC State’s Attribute Release Policy (ARP) (PDF)
(Approved by the IAM Oversight Committee – April 20, 2010)

Configuring a Service Provider (SP) at NC State

For instructions on how to set up and configure a Shibboleth Service Provider to protect a web application or service, see:
NC State Shibboleth – Technical Documentation

Requesting Service Provider Access to NC State’s Identity Provider Infrastructure

In order for your service provider to access the University’s Identity Provider infrastructure, you must complete the online Shibboleth Access Request Form.

NC State’s Shibboleth Identity Provider service is a member of InCommon’s Research and Scholarship Service Category.

  • If your service provider is a member of this category (see InCommon Community Organizations), you do not need to submit this form for Service Provider Onboarding.
  • Otherwise, this form must be completed by a member of the NC State community.
  • If the service provider is being provided by a third-party, please obtain appropriate answers to relevant questions from the technical staff of the service provider organization.

Once the form is completed and submitted, it will be reviewed by staff in OIT as follows:

  • Technical staff will perform an initial review of the request.
    If the details are technically sound, they will pass it on to:
  • The Security and Compliance staff.
    • They will review the attributes requested, inform the appropriate data custodian(s) of your request, and gain their approval.
    • It is important that justifications for each attribute requested be provided.
    • Any attributes requested that are outside the scope of NC State’s Attribute Release Policy (ARP) (PDF) will be addressed during this phase.
  • Finally, once all attribute issues (if any) are resolved, the technical staff will then work with you and/or your third-party partner to test and implement your metadata with our Identity Provider servers.

Links

Documents

Federations

 

InCommon Participant Operational Practices (POP)