Getting Started With Shibboleth

If you want to allow people to log in to your service or application using their uniqname and UMICH (Level-1) password, consider using Shibboleth. Watch this 2-minute video to learn more about Shibboleth and when you should use it.

Shibboleth is an open-source single-sign-on system used by the U-M to do authentication (checking for proof of identity) and authorization (checking for who has permission to use the service) for services.

Single sign-on means that if a person is already logged in to a Shibboleth-enabled service, such as their university Google email, they won't have to log in again when they access another Shibboleth-enabled service. For members of the U-M community, this process looks similar to logging in through U-M Weblogin. To learn more about how it works, see Logging in to Shibboleth-Enabled Services and Websites.

Shibboleth consists of two parts: an Identity Provider (IdP), and a Service Provider (SP).

  • Identity Provider
    • The IdP verifies a person's login credentials when they log in using Shibboleth. If the credentials are valid, the IdP releases information about the person (called attributes) to the SP.
    • The Identity and Access Management team, part of ITS, provides an IdP for the University of Michigan that uses authoritative identity information from the MCommunity Directory.
  • Service Provider
    • The Shibboleth IdP supports both SAML and OIDC Service Providers.
    • The SP uses the attributes provided by the IdP to determine whether or not the person is authorized to access the service.
    • Each SP is managed by U-M IT staff or the vendor providing the service. For example, the SP for U-M Google mail is managed by ITS and Google.

Shibboleth uses either Security Assertion Markup Language (SAML) or OpenID Connect (OIDC), two industry standard protocols, to share the attributes (SAML) or claims (OIDC). This makes it easy to set up with vendor-provided software and services. See Shibboleth Protocol Options for an explanation of differences in the protocol choices. 

See also: