You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 48 Next »

Introduction

This wiki site is offered to assist Cornell web site administrators who are interested in using Shibboleth authentication and authorization technology for access to their website, or to a vendor's website. The Shibboleth Service Provider can usually be used as a replacement for CUWebAuth. The advantage of using Shibboleth is that you can enable access to your site to users from other institutions that are members of the InCommon Federation. 

See the InCommon website for more information and a list of Colleges and Universities that are members.

Shibboleth will not enable people from all colleges and universities to have access to your site, only those that are members of the InCommon Federation. In addition, you can restrict your site to only certain members of InCommon, and only if those members have certain attributes (such as student, faculty, staff, etc.)

Shibboleth is also a popular method for enabling cloud vendor sites to authenticate and authorize Cornell users.

Working with Vendors

Generally, vendors will have the following questions. You can send them a link to this page to get started.

What is the EntityID for the Cornell Identity Provider?

https://shibidp.cit.cornell.edu/idp/shibboleth

What is the URL for Cornell's metadata?

https://shibidp.cit.cornell.edu/idp/profile/Metadata/SAML

Does the Cornell Identity Provider provide a logout service?

No. Our IdP doesn't support logout because our credentials stick around until you close your browser. We usually recommend that you give the user instructions to quit the browser if they want to log out. Recently one of our vendors hooked up their logout button to a page that gives instructions – see example.

Does Cornell Shibboleth work with Weill Cornell Medical school CWIDs?

Yes. Implementation requires coordination with the Identity Management team, please email idmgmt@cornell.edu.

Does Cornell Shibboleth work with GuestIDs?

No. For more information, please contact the Identity Management team by emailing idmgmt@cornell.edu.

Does the Cornell Identity Provider provide High Availability?

Yes, the Identity Provider is behind the load balancer which provides failover capability to a second server.

What attributes does the Cornell Identity Provider Release?

Currently we release the following public attributes. Other attributes are available but must be configured - please send email to idmgmt@cornell.edu if you don't see the attribute you are looking for.

  • edupersonprimaryaffiliation (eg. student@cornell.edu)
  • commonName 
  • eduPersonPrincipalName (netid@cornell.edu)
  • givenName (first name)
  • uid (netid)
  • eduPersonOrgDN
  • mail
  • surname (last name)
  • transientId
  • displayName

What SessionInitiator config do I need to use to direct users right to the Cornell Identity Provider?

<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"   

relayState="cookie" entityID="https://shibidp.cit.cornell.edu/idp/shibboleth">

                <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html"/>

                <SessionInitiator type="Shib1" defaultACSIndex="5"/>

            </SessionInitiator>

Can I get a Cornell NetID to test with?

If you don't already have a Cornell NetID, you might be able to obtain an exception with sponsor NetID. Please talk to the person who is your contact at Cornell, or email idmgmt@cornell.edu.

Do you have a list of sites that are currently using Shibboleth authentication at Cornell?

List of sites currently configured with a Shibboleth SP for authentication and authorization with a Cornell NetID. You can try some of these sites to see what a Shibboleth login looks like. If you are already logged in with your NetID, you may not notice anything except a slight delay. To view the login process in full, exit your browser first to clear your CUWebLogin information.

Service Provider Installation

Installing the Shibboleth Service Provider is a little bit more involved than installing CUWebAuth. We are still developing Cornell specific documentation for installation, and we would appreciate your contributions to this wiki!

There are at least four choices for Service Provider installation.We have experimented with the C version and links to our notes are included here. As we try other versions we will update this site.

Simplesamlphp

This is a popular version in use by many organizations and vendors.

C version, distributed on the Internet2 site

To begin with, you will want to look at the Shibboleth documentation site - we recommend that you install Shibboleth SP 2.4 or later. (Cornell is currently running version 2.3 of the Shibboleth Identity Provider.) You will first want to follow the installation instructions, and then the configuration instructions, and then test with testshib.org - the testshib website has easy instructions that you can follow to do your test. Once you have done that, you can contact us to obtain the Cornell metadata file so that you can authenticate via the Cornell IdP. If you want to work with the InCommon Federation Identity providers, please contact us. (mailto:)

Service Provider Installation how-tos

  • No labels