Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security

Shibboleth Authentication Overview

This article provides a technical overview of the Shibboleth authentication service.


Shibboleth, the only standards-based web single sign-on protocol, is the most common means for providing CNet authentication to external services. It is also the best option for providing an SSO experience across campus-based web applications.

All LDAP user attributes can be delivered by shibboleth.

If an external service belongs to the InCommon Federation, shibboleth authentication is already available to it. Otherwise, the process of connecting to the shibboleth authentication service involves the exchange of certain metadata between the "Service Provider", i.e., the thing that protects the application, and the "Identity Provider", i.e., the thing that logs users in, so that they can recognize and authenticate each other.

Two non-identifying user attributes are provided to all external service providers by default, and a larger set of user attributes are provided by default to many campus-based applications. Some shibbolized applications also need specified attributes about the logged in user, such as their name, email address, or service-specific entitlements. Release of any attributes beyond those provided by default requires a special agreement or contract between UC and the application operator.

On-boarding and support

IT Services provides shibboleth support.

For new deployers of shibboleth click here for information on pre-requisites and onboarding.

Note: The attributes released by default to external services are eduPersonTargetedID and eduPersonScopedAffiliation. The first is a "pseudonymous" identifier, meaning that it enables the application to offer personalized user services without requiring UChicago to provide personally identifying information about the user. This is accomplished by cryptographic techniques that prevent the user's identity from being discovered, even by applications that collude to correlate user experience information. The second lists the user's eduPersonAffiliation values, along with a standards-based way of saying "these affiliations pertain to".

Attributes released by default to many on-campus applications are name, eduPersonAffiliation, CNetID or UCHADid, ChicagoID, ucDepartment, ucCurriculum, ucPriv, and ucIsMemberOf.

Essential data

U Chicago IdPs entityId:
IdP metadata location:

Shibboleth Logout Policy

Shibboleth relies on LDAP, which has a lockout policy for InCommon Silver users.

More Information

For a less technical overview of Shibboleth from a user's perspective, see What is Shibboleth?.

Keywords:shib SSO "single sign-on"   Doc ID:16208
Owner:Astrid F.Group:University of Chicago
Created:2010-12-08 18:00 CSTUpdated:2015-12-10 07:12 CST
Sites:University of Chicago, University of Chicago - Sandbox
Feedback:  1   2