Introduction
This wiki site is offered to assist Cornell web site administrators who are interested in using Shibboleth authentication and authorization technology for access to their website, or to a vendor's website. The Shibboleth Service Provider can usually be used as a replacement for CUWebAuth. The advantage of using Shibboleth is that you can enable access to your site to users from other institutions that are members of the InCommon Federation.
See the InCommon website for more information and a list of Colleges and Universities that are members.
Shibboleth will not enable people from all colleges and universities to have access to your site, only those that are members of the InCommon Federation. In addition, you can restrict your site to only certain members of InCommon, and only if those members have certain attributes (such as student, faculty, staff, etc.)
Shibboleth is also a popular method for enabling cloud vendor sites to authenticate and authorize Cornell users.
Integrators outside of InCommon who would like to make use of Cornell's Identity Provider may point to the test IDP first and work through any initial issues. When you are ready to move your integration into production, please submit a request at https://shibrequest.cit.cornell.edu to start the process.
Cornell IDP Info
Generally, vendors will have the following questions. You can send them a link to this page to get started
Service Provider Installation
How to install Shibboleth Service Provider on Windows
There are at least four choices for Service Provider installation.We have experimented with the C version and links to our notes are included here. As we try other versions we will update this site.
This is a popular version in use by many organizations and vendors.
C version, distributed on the Internet2 site
To begin with, you will want to look at the Shibboleth documentation site - we recommend that you install Shibboleth SP 2.4 or later. (Cornell is currently running version 2.3 of the Shibboleth Identity Provider.) You will first want to follow the installation instructions, and then the configuration instructions, and then test with testshib.org - the testshib website has easy instructions that you can follow to do your test. Once you have done that, you can contact us to obtain the Cornell metadata file so that you can authenticate via the Cornell IdP. If you want to work with the InCommon Federation Identity providers, please contact us. (mailto:)
Service Provider Installation how-tos
- Linux Internet2 Service Provider Install - in an alternate path (not /usr/sbin) - A supplement to the Shibboleth Documentation website... Use these instructions if you need to install the Service Provider in a non standard path.