...
Shibboleth is also a popular method for enabling cloud vendor sites to authenticate and authorize Cornell users.
Typically, integrators who want to use Integrators outside of InCommon who would like to make use of Cornell's Identity Provider should may point to the test IDP first and work through any initial issues.
When you are ready to move your integration into production, please submit a request at https://shibrequest.cit.cornell.edu to start the process.
...
.
Please join Cornell Shibboleth admins mailing list by sending an email to cornell-shib-users-L-request@cornell.edu with the word join as the subject line. Leave the body of the message blank.
| Info |
|---|
| In the follow up to a critical security advisory that Shibboleth Consortium released on Feb 27 2018, Identity Provider should begin to insist on the use of XML Encryption going forward. From now on, all the new service provider must provide a certificate for encryption in the metadata. |
Cornell IDP Info
Generally, vendors will have the following questions. You can send them a link to this page to get started.
| Expand | ||
|---|---|---|
| ||
Prod IDP: https://shibidp.cit.cornell.edu/idp/shibboleth Test IDP: https://shibidp-test.cit.cornell.edu/idp/shibboleth |
| Expand | ||
|---|---|---|
|
...
| |
Cornell is the member of InCommon. Cornell's metadata is included in InCommon's metadata. Get Cornell's metadata from InCommon: http://md.incommon.org/InCommon/InCommon-metadata-idp-only.xml If you just need the content of Cornell IDP metadata, get it from: https://shibidp.cit.cornell.edu/idp/shibboleth If you are integrating test instance of your application, please point it to Cornell IDP test instance. Test IDP's metadata can be accessed from https://shibidp-test.cit.cornell.edu/idp/shibboleth |
| Expand | ||
|---|---|---|
| ||
| Expand | ||
|---|---|---|
| ||
Prod IDP login URL(POST binding): https://shibidp.cit.cornell.edu/idp/profile/SAML2/POST/SSO Prod IDP login URL(Redirect binding): https://shibidp.cit.cornell.edu/idp/profile/SAML2/Redirect/SSO Test IDP login URL (POST binding): https:// |
...
shibidp-test.cit.cornell.edu/ |
...
idp/profile/SAML2/POST/SSO Test IDP login URL(Redirect binding): https://shibidp-test.cit.cornell.edu/idp/profile/SAML2/Redirect/SSO |
| Expand | ||
|---|---|---|
| ||
| No. Our IdP doesn't support logout because our credentials stick around until you close your browser. We usually recommend that you give the user instructions to quit the browser if they want to log out. Recently one of our vendors hooked up their logout button to a page that gives instructions – see example. |
| Expand | ||
|---|---|---|
|
Yes. Implementation requires coordination with the Identity Management team, please email idmgmt@cornell.edu.
Does Cornell Shibboleth work with GuestIDs?
...
| No. Weill Medical school has its own Identity Provider. If your application service provider supports multiple Identity Providers, we can publish your SP's metadata with InCommon. Then your application is able to use Weill Medical Identity provider. |
| Expand | ||
|---|---|---|
| ||
| Yes, GuestID login need to be enabled for your site in IDP if your site support it. On the last page of Shibboleth Integration request form, there is a question about if your site support GuestID login. Please check "Yes" if your site need to support it. |
| Expand | ||
|---|---|---|
| ||
| Yes, the Identity Provider is behind the load balancer which provides load balancing and failover. |
| Expand | ||
|---|---|---|
| ||
Currently we release the following public attributes. Other attributes are available but must be configured - please send email to idmgmt@cornell.edu if you don't see the attribute you are looking for. Majority of Service Providers use Attribute Name In SAML Assertion(value in second column) to map to the attribute in their system, but some service providers use Friendly name in SAML Assertion.
|
...
|
...
|
...
TransientId is the default NameID. |
What SessionInitiator config do I need to use to direct users right to the Cornell Identity Provider?
| Expand | ||
|---|---|---|
| ||
| Panel | ||
| ||
| If you don't already have a Cornell NetID, you might be able to obtain an exception with sponsor NetID. Please talk to the person who is your contact at Cornell, or email idmgmt@cornell.edu |
...
Do you have a list of sites that are currently using Shibboleth authentication at Cornell?
...
| . |
Service Provider Installation
Installing the Shibboleth Service Provider is a little bit more involved than installing CUWebAuth. We are still developing Cornell specific documentation for installation, and we would appreciate your contributions to this wiki!
There are at least four choices for Service Provider installation.We have experimented with the C version and links to our notes are included here. As we try other versions we will update this site.
This is a popular version in use by many organizations and vendors.
C version, distributed on the Internet2 site
To begin with, you will want to look at the Shibboleth documentation site - we recommend that you install Shibboleth SP 2.4 or later. (Cornell is currently running version 2.3 of the Shibboleth Identity Provider.) You will first want to follow the installation instructions, and then the configuration instructions, and then test with testshib.org - the testshib website has easy instructions that you can follow to do your test. Once you have done that, you can contact us to obtain the Cornell metadata file so that you can authenticate via the Cornell IdP. If you want to work with the InCommon Federation Identity providers, please contact us. (mailto:)
Service Provider Installation how-tos
...
There are many Service Provider products, for example Shibboleth, SimpleSAMLphp, passport-saml, etc. You should choose one that fit your hosting environment. We have installation instructions for Shibboleth Service Provider. For other Service Providers please refer to its own product documentation.
How to install Shibboleth Service Provider on Windows
How to Install Shibboleth Service Provider on Linux