At U-M, Shibboleth is used to allow members of the U-M community to log in to websites at other institutions that are members of the InCommon Federation using their uniqname and UMICH (Level-1) password. It is also used to enable login using a uniqname and UMICH password to U-M Google, U-M Box, and other cloud-based services used at the university.
Here's how it works:
- The user goes to the website and clicks the link to log in.
- When accessing services provided by other institutions, the user will be asked to select their home institution (U-M) from a list. When accessing cloud services contracted for by the university, the user may be connected immediately to the U-M Weblogin page.
- The U-M Weblogin page is displayed, and the user logs in using his/her uniqname and UMICH password.
- For services provided by other institutions, the user is shown the identity information that will be released to allow login and can confirm or deny the release.
- If release is confirmed, the user is logged in.
Using Shibboleth for Your Service
If you want to allow people to log in to your service or application using their uniqname and UMICH (Level-1) password, consider using Shibboleth. Watch this 2-minute video to learn more about Shibboleth and when you should use it.
Shibboleth is an open source single sign-on system used by the University of Michigan. It handles authentication (checking for proof of identity) and authorization (checking for who has permission to use the service) for services.
Single sign-on means that if a person is already logged in to a Shibboleth-enabled service, such as their university Google email, they won't have to log in again when they access another Shibboleth-enabled service. For members of the U-M community, this process looks similar to logging in through U-M Weblogin. To learn more about how it works, see Logging in to Shibboleth-Enabled Services and Websites.
Shibboleth consists of two parts: an Identity Provider (IdP) and a Service Provider (SP).
- Identity Provider
- The IdP verifies a person's login credentials when they log in using Shibboleth. If the credentials are valid, the IdP releases information about the person (called attributes) to the SP.
- The Identity and Access Management team, part of ITS, provides an IdP for the University of Michigan that uses authoritative identity information from the MCommunity Directory.
- Service Provider
- The SP uses the attributes provided by the IdP to determine whether or not the person is authorized to access the service.
- Each SP is managed by U-M IT staff or the vendor providing the service. For example, the SP for U-M Google mail at U-M is managed by ITS and Google.
Shibboleth uses SAML, an industry standard protocol, to share the attributes. This makes it easy to set up with vendor-provided software and services.
Shibboleth enables you to do the following with your service:
- Restrict access only to people that should have access based on authoritative information about their relationships to the university.
- Allow people from other institutions that are a part of the InCommon Federation to log in using their institutional credentials.
- Personalize the user experience of your application according to user affiliation.
- Protect information on a server by requiring a person to be authenticated to gain access. Shibboleth can be used to protect all the information on a server, or only specific resources on the server.