Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security
Shibboleth Authentication Overview
This article provides a technical overview of the Shibboleth authentication service.
Shibboleth, the only standards-based web single sign-on protocol, is the most common means for providing CNet authentication to external services. It is also the best option for providing an SSO experience across campus-based web applications.
All LDAP user attributes can be delivered by shibboleth.
If an external service belongs to the InCommon Federation, shibboleth authentication is already available to it. Otherwise, the process of connecting to the shibboleth authentication service involves the exchange of certain metadata between the "Service Provider", i.e., the thing that protects the application, and the "Identity Provider", i.e., the thing that logs users in, so that they can recognize and authenticate each other.
Two non-identifying user attributes are provided to all external service providers by default, and a larger set of user attributes are provided by default to many campus-based applications. Some shibbolized applications also need specified attributes about the logged in user, such as their name, email address, or service-specific entitlements. Release of any attributes beyond those provided by default requires a special agreement or contract between UC and the application operator.
On-boarding and support
IT Services provides shibboleth support.
For new deployers of shibboleth click here for information on pre-requisites and onboarding.
Note: The attributes released by default to external services are eduPersonTargetedID and eduPersonScopedAffiliation. The first is a "pseudonymous" identifier, meaning that it enables the application to offer personalized user services without requiring UChicago to provide personally identifying information about the user. This is accomplished by cryptographic techniques that prevent the user's identity from being discovered, even by applications that collude to correlate user experience information. The second lists the user's eduPersonAffiliation values, along with a standards-based way of saying "these affiliations pertain to uchicago.edu".
Attributes released by default to many on-campus applications are name, eduPersonAffiliation, CNetID or UCHADid, ChicagoID, ucDepartment, ucCurriculum, ucPriv, and ucIsMemberOf.
U Chicago IdPs entityId: urn:mace:incommon:uchicago.edu
IdP metadata location: http://md.incommon.org/InCommon/InCommon-metadata.xml
Shibboleth Logout Policy
Shibboleth relies on LDAP, which has a lockout policy for InCommon Silver users.
For a less technical overview of Shibboleth from a user's perspective, see What is Shibboleth?.