Shibboleth

What is Shibboleth?

Why use Shibboleth?

Homegrown Applications vs. Vendor Applications

Single Sign-On and Force Authentication

What attributes are available via Shibboleth?

Interested in using Shibboleth for your application?

Glossary

Shibboleth Resources


What is Shibboleth?

Shibboleth is among the world's most widely deployed single sign-on (SSO) frameworks, connecting users to applications both within and between organizations. Every software component of the Shibboleth system is free and open source.

Why use Shibboleth?

Shibboleth relieves your application of the responsibility for handling passwords and is UCSC's preferred method of authentication. By utilizing Shibboleth, you are helping to improve security throughout our information ecosystem.

Shibboleth can also provide information (called attributes) to your application via encrypted tokens. These might include first name, last name, CruzID, and affiliation status. Attributes can be used by your application to decide whether a user is in a population that should have access to your service. Attributes available via Shibboleth

Homegrown Applications vs. Vendor Applications

Homegrown applications are traditionally easier to Shibbolize; vendor applications are more tightly controlled and may not (natively) have the proper hooks. In some cases, additional programming and/or configuration may be required for vendor applications to utilize Shibboleth. More information can be found in the Shibboleth technical documentation.

Single Sign-On and Force Authentication

Single sign-on (SSO) allows users who have signed into one Shibboleth application to access many other Shibboleth applications without having to sign in again for 12 hours. SSO can reduce the number of times users need to log in during the day.

A few applications will still require the user to enter CruzID and password every time they enter the application. These applications "force authentication" due to higher risk data and protected information such as Payroll. SAML2 provides a mechanism that allows a service provider (SP) to request that the IdP (identity provider/login server) re-challenge the user to provide a login CruzID and password. Instructions for configuration options that force the IdP to re-challenge the user to enter their CruzID and password are documented in the Shibboleth technical documentation.

What attributes are available via Shibboleth?

Attributes available via Shibboleth 

Interested in using Shibboleth for your application?

It is the responsibility of each application to install and maintain its own Shibboleth Service Provider.

Step 1: Get started by reviewing available technical documentation.

Step 2: Fill out this request form in SlugHub. (If you do not have credentials to log in to SlugHub, send an email to help@ucsc.edu asking for assistance completing the request form.)

Step 3: Upon completion of the above steps and receipt of the SlugHub ticket, the Identity Management team can provide minimal consultation for those still having questions after reviewing the available documentation.

 

Glossary

Attributes

Data about the user that can be provided to your application via Shibboleth (e.g., first name, last name, email). Some Shibboleth attributes are populated from LDAP attributes. Attributes available via Shibboleth

EntityID

A globally unique identifier for your service, usually your server’s host name or CNAME plus the path ‘/shibboleth’ added to it. For example, "https://<your_service_name>.ucsc.edu/shibboleth"

Identity Provider (IdP)

The login server behind Shibboleth, in our case managed by the ITS Identity Management team (see also, Service Provider)

SAML

Security Assertion Markup Language, the underlying technology Shibboleth uses

Service Provider (SP)

"Service Provider" has multiple related meanings: it can be used to mean the web application which users are using Shibboleth authentication to get into, the server(s) where the application lives, or the software that is installed on the application servers to allow them to communicate with the IdP (identity provider) and grant access to the application. You may want to learn more here. (see also, Identity Provider)

Shibboleth  

A product that utilizes SAML to let your application take advantage of campus login systems without having to manage the accounts on your own. Offers greater security and consistency for the users of your application.

Shibbolized

Your configured application uses Shibboleth for login (informal term)

SSO - Single Sign-On

Single sign-on (SSO) allows a user who signs in to one CruzID Gold application to access certain other CruzID Gold applications without having to sign in again.

Shibboleth Resources

Shibboleth Wiki

The Shibboleth Wiki is the primary source of documentation for all aspects of installing and configuring Shibboleth.
Shibboleth 2 Wiki

Shibboleth 1 Wiki


Internet2 Mailing Lists

The Shibboleth project maintains three mailing lists to announce news and discuss Shibboleth development and deployment. You are strongly encouraged to join shibboleth-users if you have any trouble installing or configuring Shibboleth. Subscription details are available at http://shibboleth.internet2.edu/support.html#lists.

SAML Overview

UCSC Campus LDAP

UCSC Shibboleth technical documentation

UCSC Attributes available via Shibboleth