This wiki site is offered to assist Cornell web site administrators who =
are interested in using Shibboleth authentication and authorization technol=
ogy for access to their website, or to a vendor's website. The Shibboleth S=
ervice Provider can usually be used as a replacement for CUWebAuth. The adv=
antage of using Shibboleth is that you can enable access to your site to us=
ers from other institutions that are members of the InCommon Federation.&nb=
sp;
See the InCommon website for more information and a list of =
Colleges and Universities that are members.
Shibboleth will not enable people from all colleges and universities to =
have access to your site, only those that are members of the InCommon Feder=
ation. In addition, you can restrict your site to only certain members of I=
nCommon, and only if those members have certain attributes (such as student=
, faculty, staff, etc.)
Shibboleth is also a popular method for enabling cloud vendor sites to a=
uthenticate and authorize Cornell users.
Integrators outside of InCommon who would like to make use of Cornell's =
Identity Provider may point to the test IDP first and work through any init=
ial issues. When you are ready to move your integration into production, pl=
ease submit a request at https://shibrequest.cit.cornell=
.edu to start the process.
Please join Cor=
nell Shibboleth admins mailing list by sending an email to cornell-shib-us=
ers-L-request@cornell.edu with the word join as the subject line. Leave the body of =
the message blank.
In the follow up to a critical security advisory that Shibbol=
eth Consortium released on Feb 27 2018, Identity Provider should begin to i=
nsist on the use of XML Encryption going forward. From now on, all the new service provider must pro=
vide a certificate for encryption in the metadata.
Cornell IDP Info
Generally, vendors will have the following questions. You can send them =
a link to this page to get started
Test IDP login URL (POST binding): https://shibidp-test.cit.cornel=
l.edu/idp/profile/SAML2/POST/SSO
Test IDP login URL(Redirect binding): https://shibidp-test.cit.cor=
nell.edu/idp/profile/SAML2/Redirect/SSO
No. Our IdP doesn't support logout because our credentials stick aroun=
d until you close your browser. We usually recommend that you give the user=
instructions to quit the browser if they want to log out. Recently one of =
our vendors hooked up their logout button to a page that gives instructions=
=E2=80=93 see example.
No. Weill Medical school has its own Identity Provider. If your application=
service provider supports multiple Identity Providers, we can publish your=
SP's metadata with InCommon. Then your application is able to use Weill Me=
dical Identity provider.
Yes, GuestID login need to be enabled for your site in IDP if your site sup=
port it. On the last page of Shibboleth Integration request form, there is =
a question about if your site support GuestID login. Please check "Yes" if =
your site need to support it.
Yes, the Identity Provider is behind the load balancer which provides load =
balancing and failover.
Currently we release the following public attributes. Other attributes a=
re available but must be configured - please send email to idmgmt@cornell.e=
du if you don't see the attribute you are looking for.
Majority of Service Providers use Attribute Name In SAML Assertion(value=
in second column) to map to the attribute in their system, but some servic=
e providers use Friendly name in SAML Assertion.
If you don't already have a Cornell NetID, you might be able to obtain an <=
a href=3D"http://www.cit.cornell.edu/services/netid/faq.cfm" class=3D"exter=
nal-link" rel=3D"nofollow">exception with sponsor NetID. Please talk to=
the person who is your contact at Cornell, or email idmgmt@cornell.edu.
Service Prov=
ider Installation
There are many Service Provider products, for example Shibboleth, Simple=
SAMLphp, passport-saml, etc. You should choose one that fit your hosting en=
vironment. We have installation instructions for Shibboleth Service Provide=
r. For other Service Providers please refer to its own product documentatio=
n.