Contact the ITS Service Center with questions about logging in to any U-M Weblogin resource, including those that use Shibboleth.
- For general information about Weblogin at U-M, see Using Web-Authenticated Resources (Weblogin Using Cosign) at U-M.
- For details about logging in using Shibboleth, see Logging in to Shibboleth-Enabled Services and Websites.
Logging in to a Shibboleth-Enabled Service
For members of the U-M community, logging in to a Shibboleth-enabled service (such as U-M Google or U-M Box) looks similar to logging in through U-M Weblogin. To learn more about how it works, see Logging in to Shibboleth-Enabled Services and Websites, which describes what happens when you log in to a Shibboleth-enabled service provided by U-M or the InCommon Federation.
Logging Out of a Shibboleth-Enabled Service
Multiple sessions may be active when a person uses Shibboleth, so managing logout can be complicated. After authenticating, a user may have active sessions with the web application, the Service Provider (SP), and the Identity Provider (IdP).
When a user clicks a logout button in an SP's web application, their web application and SP sessions are ended, but they are not usually logged out of the IdP. Closing the browser may not end the IdP session. If the user revisits the web application, they are automatically re-authenticated because they still have a valid IdP session cookie.
For more about Shibboleth and logging out, see
- Single Logout (SLO) Issues (Shibboleth Wiki)
- Identity Provider and Service Provider Single Logout (University of Texas at Austin)
Configure Shibboleth Authentication for Your Service
U-M departmental IT staff can follow the steps below to make a web resource available as a Service Provider (SP) using Shibboleth authentication.
Register your Service Provider:
Submit the Shibboleth Configuration Request Form. Depending on the complexity of your request, it may take several weeks or more to complete. Please submit your request as early as possible.
If your Service Provider requires release of attributes that are not pre-approved, submit the Shibboleth Attribute Release Request Form. See Shibboleth Attribute Release Policy and Procedure for details.
Configure your Service Provider:
Shibboleth Service Provider Configuration Resources
This document provides the metadata, web certificate, and entityID information for the U-M Identity Provider (IdP) test and production environment.
How to Set Up a Shibboleth 2.X Service Provider on Windows and IIS
This document provides configuration instructions for configuring your own Shibboleth Service Provider on Windows.
How to Set Up a Shibboleth 2.X Service Provider on Linux and Apache
This document provides configuration instructions for configuring your own Shibboleth Service Provider on Linux.
Configuring Your Service Provider for Two-Factor Authentication
This document provides configuration instructions for enabling two-factor authentication on your Shibboleth Service Provider.
Configuring Your Service Provider for Step-Up Two-Factor Authentication
This document provides configuration assistance for implementing two-factor authentication for only a portion of a Shibboleth Service Provider.
Additional assistance for U-M IT staff members:
- To request a Shibboleth configuration, submit the Shibboleth Configuration Request Form.
- For assistance with your Shibboleth installation, see the available documentation provided by ITS, or the Shibboleth Project wiki.
- Questions or concerns? Send email to: firstname.lastname@example.org.