Getting Started With Shibboleth

Set Up a U-M Shibboleth Service Provider

There are six steps to setting up a Shibboleth Service Provider (SP) at U-M. Watch this two-minute video to learn about the process.

  1. Install and configure the Shibboleth Service Provider software.

    If you like, you can set it up to use multifactor authentication:

  2. Generate the SP metadata, which allows the SP and the IdP to communicate.
  3. Test the installation to make sure your SP is set up properly. Instructions for testing are in the relevant setup documentation for your SP.
  4. Contact the ITS Identity and Access Management team.
    1. Submit the Shibboleth Configuration Request Form. You'll need to provide the following information:
      1. Your SP's metadata
      2. Contact information for the people supporting and configuring your service
      3. The entity ID or host name of your service
      4. The attributes your service will need to work
    2. Review the Attributes Pre-Approved for U-M Release in U-M Shibboleth Attribute Release Policy and Procedure to see if your service will need additional attributes. If so, complete the Shibboleth Attribute Release Request Form.
  5. The ITS Identity and Access Management team will contact you to let you know that your service has been set up with the staging IdP. Test your service to make sure that the right information is being released, and to confirm that people are able to log in. Be aware of the relevant Test Environment Resources listed in the Shibboleth Service Provider Configuration Resources. If your tests pass, your SP is ready for step six.
  6. Prepare for production by updating your configuration files with the Production Environment Resources listed in the Shibboleth Service Provider Configuration Resources. Re-generate your metadata and provide it to the Identity and Access Management team.

Releasing a new Shibboleth SP to production could, for complex configurations, take the Identity and Access Management team up to two weeks. Configurations requiring additional attributes, or customized authorization setups can take longer.

If you're adding Shibboleth to a vendor-provided service, the Identity and Access Management team is happy to work with the vendor on technical issues, but it is expected that you will maintain the vendor relationship and initiate contact with the vendor when needed.