Shibboleth at the University of Minnesota
What is Shibboleth?
Shibboleth is a software product that implements the Security Assertion Markup Language (SAML)
Shibboleth is the new standard web signon system at the University of Minnesota, replacing the old Central Authentication Hub (a.k.a. "cookieauth")
, which will be retired soon.
In SAML, an Identity Provider
(IdP) generates assertions
about an authentication event or a user. These assertions are sent to a Service Provider
(SP), which validates the assertions and uses the data in them. For example, an SP could use name data to personalize their site, or job code data to enforce access controls.
The University of Minnesota Office of Information Technology (OIT)
runs a Shibboleth IdP, which SPs can use for authentication and obtaining X.500 directory data about an authenticated user.
Installation and Configuration of Service Providers
Most deployments at the University should be able to follow similar instructions for setup.
Application Integrations and Alternative Implementations
There are many implementations of the SAML protocol available. Some applications and platforms natively implement SAML support, or directly support integration with the Shibboleth SP. For most other uses we recommend the Shibboleth SP implementation, as it is the most widely used in higher education and interoperates best with our Shibboleth IdP. There is also a UMN Github Shib Community group
with a community-designed API for integrating apps with the Shib SP, as well as implementations in several languanges/platforms.
Converting from Cookie Auth Hub to Shibboleth
Converting applications Cookie Auth Hub (CAH) to Shibboleth is usually straightforward.
Third-party hosted or “cloud” applications are an ideal fit for SAML authentication; indeed, off-campus library resources were one of the original use cases behind the Shibboleth project.
Frequently Asked Questions and Glossary
for frequently asked questions about Shibboleth, including common error messages. We also have a ShibGlossary
that explains some of the terms used in the Shibboleth/SAML world.
The U is a member of the InCommon Federation
, which provides a trust framework and metadata distribution among its members. This simplifies the process of setting them up to use our IdP.
The Shibboleth service is operated by the Identity Management service team. For more information about Shibboleth or our other services, send email to email@example.com.
Special note about idm contact
When you are contacted by someone at IDM after a metadata submission, asking you to, "Please add your contact information as described on the wiki page."
Find information about adding contact info to your metadata file, after you download/retrieve it from your new SPD, here: Adding contact info to Metadata
Additionally, fill out the Errors node, supportContact attibute in the shibboleth2.xml file.
Shibboleth Workshop Notes