Shibboleth Authentication Overview
This article provides a technical overview of the Shibboleth authentication service.
Shibboleth, the only standards-based web single sign-on protocol, is the most common means for providing CNetID authentication to external services. It is also the best option for providing a single sign-on experience across multiple campus-based web applications.
All LDAP user attributes can be delivered by Shibboleth.
If an external service belongs to the InCommon Federation, it is already configured for Shibboleth authentication. Otherwise, the process of connecting to the Shibboleth authentication service involves the exchange of certain metadata between the service provider, that is, the thing that protects the application, and the Identity Provider, that is, the thing that logs users in, so that they can recognize and authenticate each other.
Two non-identifying user attributes are provided to all external service providers by default, and a larger set of user attributes are provided by default to many campus-based applications. Some Shibbolized applications also need specified attributes about the user, such as their name, email address, or service-specific entitlements. Release of any attributes beyond those provided by default requires a special agreement or contract between UChicago and the application operator.
Onboarding and Support
IT Services provides Shibboleth support.
New deployers of Shibboleth should see the UChicago wiki article Shibboleth information for new deployers for information on pre-requisites and onboarding.
Note: The attributes released by default to external services are eduPersonTargetedID and eduPersonScopedAffiliation. The first is a pseudonymous identifier, meaning it enables the application to offer personalized user services without requiring UChicago to provide personally identifying information about the user. This is accomplished by cryptographic techniques to prevent the user's identity from being discovered, even by applications that collude to correlate user experience information. The second lists the user's eduPersonAffiliation values, along with a standards-based way of relating these affiliations to uchicago.edu.
Attributes released by default to many on-campus applications are name, eduPersonAffiliation, CNetID or UCHADid, ChicagoID, ucDepartment, ucCurriculum, ucPriv, and ucIsMemberOf.
- U Chicago IdPs entityId: urn:mace:incommon:uchicago.edu
- IdP metadata location: http://md.incommon.org/InCommon/InCommon-metadata.xml
Shibboleth Lockout Policy
Shibboleth relies on LDAP, which has a lockout policy for InCommon Silver users. See the article LDAP Authentication for more information about LDAP Authentication.
For a less technical overview of Shibboleth from a user's perspective, see the article What is Shibboleth?.