Versions Compared

Old Version 92

changes.mady.by.user Hong Ye

Saved on

compared with

New Version Current

changes.mady.by.user Hong Ye

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Integrators outside of InCommon who would like to make use of Cornell's Identity Provider may point to the test IDP first and work through any initial issues. When you are ready to move your integration into production, please submit a request at https://shibrequest.cit.cornell.edu to start the process.

Please join Cornell Shibboleth admins mailing list by sending an email to cornell-shib-users-L-request@cornell.edu with the word join as the subject line. Leave the body of the message blank.

Info
In the follow up to a critical security advisory that Shibboleth Consortium released on Feb 27 2018, Identity Provider should begin to insist on the use of XML Encryption going forward. From now on, all the new service provider must provide a certificate for encryption in the metadata.

...

Expand
titleDoes Cornell Shibboleth work with Weill Cornell Medical school CWIDs?
No. Weill Medical school has its own Identity Provider. If your application service provider supports multiple Identity Providers, a separate integration request can be sent to Weill Medical ITwe can publish your SP's metadata with InCommon. Then your application is able to use Weill Medical Identity provider.


Expand
titleDoes Cornell Shibboleth work with GuestIDs?
Yes, GuestID login need to be enabled for your site in IDP if your site support it. On the last page of Shibboleth Integration request form, there is a question about if your site support GuestID login. Please check "Yes" if your site need to support it.


Expand
titleDoes the Cornell Identity Provider provide High Availability?
Yes, the Identity Provider is behind the load balancer which provides load balancing and failover.

...

Expand
titleWhat attributes does the Cornell Identity Provider Release?

Currently we release the following public attributes. Other attributes are available but must be configured - please send email to idmgmt@cornell.edu if you don't see the attribute you are looking for.

Majority of Service Providers use Attribute Name In SAML Assertion(value in second column) to map to the attribute in their system, but some service providers use Friendly name in SAML Assertion.

Attribute Friendly Name in edupersonprimaryaffiliationcngivenNamemail
AttributeNameInEnterpriseDirectoryAttribute Name In SAML Assertion SAML Assertion
edupersonprimaryaffiliationurn:oid:1.3.6.1.4.1.5923.1.1.1.5

cn(commonName)

urn:oid:2.5.4.3
eduPersonPrincipalName (netid@cornell.edu)urn:oid:1.3.6.1.4.1.5923.1.1.1.6eduPersonPrincipalName
givenName (first name)urn:oid:2.5.4.42
sn(last name)urn:oid:2.5.4.4sn
displayNameurn:oid:2.16.840.1.113730.3.1.241displayName
uid (netid)urn:oid:0.9.2342.19200300.100.1.1uid
eduPersonOrgDNurn:oid:1.3.6.1.4.1.5923.1.1.1.3eduPersonOrgDN
mailurn:oid:0.9.2342.19200300.100.1.3
eduPersonAffiliationurn:oid:1.3.6.1.4.1.5923.1.1.1.1eduPersonAffiliation
eduPersonScopedAffiliationurn:oid:1.3.6.1.4.1.5923.1.1.1.9eduPersonScopedAffiliation
eduPersonEntitlementurn:oid:1.3.6.1.4.1.5923.1.1.1.7eduPersonEntitlement

TransientId is the default NameID.

...

Service Provider Installation

There are at least four choices for Service Provider installation.We have experimented with the C version and links to our notes are included here. As we try other versions we will update this sitemany Service Provider products, for example Shibboleth, SimpleSAMLphp, passport-saml, etc. You should choose one that fit your hosting environment. We have installation instructions for Shibboleth Service Provider. For other Service Providers please refer to its own product documentation.

How to install Shibboleth Service Provider on Windows

How to Install Shibboleth Service Provider on Linux

Simplesamlphp