Shibboleth Glossary




See attribute assertion.

Assertion Consumer Service (ACS)

The service that uses assertions to initiate a session with a Service Provider. The ACS is an endpoint (URL) stored in the metadata of the Service Provider to which the assertions are sent. The Identity Provider uses the metadata to send the assertions to the proper URL.


A single piece of information associated with an electronic identity database record, such as an MCommunity Directory profile. Some attributes are general; others are personal. Some subset of all attributes defines a unique individual. See U-M InCommon Attribute Release Policy and Procedure for more details about attributes at U-M.

Attribute Assertion

The identity information provided by an Identity Provider to a Service Provider using SAML. The assertion carries attribute information about the user, such as their uniqname.

Attribute Authority

The authoritative source for attributes.

Attribute Release Consent

A mechanism that allows a user to be informed about and accept or decline the release of attributes to a Service Provider. For more information about how this functions at U-M, see User Confirmation of Attribute Release.

Attribute Release Policy (ARP)

A defined set of attributes to be released by an Identity Provider to a Service Provider, functioning as an attribute filter for privacy and data protection. The attribute release policy can differ for each Service Provider. See U-M InCommon Attribute Release Policy and Procedure for more details about the attribute release policy at U-M.

Attribute Resolver

An element of the Identity Provider. It retrieves attributes from various data sources (LDAP, Active Directory, etc.) and alters them in a way that allows them to be used by SAML.


The process by which a person verifies or confirms their affiliation with an electronic identifier. Logging in successfully to a service using a uniqname (or Friend Account) and password is a form of authentication.


The process by which a person is granted access to a service. A Shibboleth Service Provider could use various attributes to determine the access rights of a person, or use the OARS system to require access if the customers are all U-M affiliates.



A digital representation of information that uses a public key encryption system to verify identity. A certificate is issued by a certificate authority, which verifies that a public key belongs to a specific company or person. Relevant certificates for U-M are available at Shibboleth Service Provider Configuration Resources.

Certificate Authority (CA)

A certificate authority (CA) is an authority in a network that issues and manages certificates that serve as security credentials and public keys for message encryption.


Cookie-based single sign-on using Kerberos passwords. Shibboleth at U-M uses Cosign to provide authentication to Service Providers. More information about Cosign is available at the project site.


Discovery Service (DS)

Allows a user to choose which one of a number of Identity Providers they would like to use. Formerly known as the Where Are You From (WAYF) service. Most useful in federated contexts, where a Service Provider allows users from a number of different sites.


A directory is a specialized database that may contain information about an institution's membership, groups, roles, devices, systems, services, locations, and other resources. Also known as an electronic identity database. At U-M, the MCommunity Directory stores this information.

Domain Name

Identifies a resource (such as a website or server) that has an IP address. The domain name serves as an easily recognizable and memorable name for the IP addresses. is an example of a domain name.

Domain Name System (DNS)

Translates domain names to and from IP addresses.


Electronic Identifier

A string of characters or structured data that may be used to reference an electronic identity. Examples include an email address, a user account name, a Kerberos principal name, a username or uniqname, a UMID or a PKI certificate.

Electronic Identity

A set of information that is maintained about an individual, typically in an electronic identity databases. May include roles and privileges as well as personal information. The information must be authoritative to the applications for which it will be used. At U-M, this is known as an MCommunity Directory profile.

Electronic Identity Database

A structured collection of information pertaining to a given individual. At U-M, the MCommunity Directory is such a database, and uses LDAP. Sometimes referred to as an "enterprise directory." Typically includes name, address, email address, affiliation, and electronic identifier(s). Many technologies can be used to create an identity database, for example, LDAP or a set of linked relational databases.


A URL on an Identity or Service Provider that performs a specific function within the SAML authentication protocol. The two most commonly used endpoints are the Identity Provider's Single Sign-on Service and the Service Provider's Assertion Consumer Service.


The object in a set of attributes that can be granted or associated to a user account to enable that account to perform (or in some cases prevent the performance of) some set of actions in the service. Entitlements could be used to allow managers to have certain capabilities within a web application, but prevent their employees from having those same capabilities.

Entity ID

An entity ID is a globally unique name given to a SAML entity, either an Identity Provider (IdP) or a Service Provider (SP). An entity ID may or may not actually resolve to a web resource. (If it does, it is usually a page that describes the deployment.) An entity ID is a persistent identifier for the entity. Make every effort to choose a permanent name for your deployment that will persist indefinitely. U-M's entity ID is listed in the Shibboleth Service Provider Configuration Resources.

EPPN (eduPersonPrincipalName)

This identifier takes the form principal@domain and is the most common form of identity in higher ed. While it may resemble an email address, it is not one.



A federation is an association of organizations that come together to exchange information as appropriate about their users and resources in order to enable collaborations and transactions. U-M and InCommon are examples of federations.

Friend Account

A Friend account is basically a U-M guest computing account. It allows someone who does not have a U-M uniqname and UMICH password to authenticate to the U-M computing environment. Providers of U-M computing services can then authorize Friend account holders to use certain services as appropriate. Friend accounts are used, for example, by parents and guardians to log in so they can pay student tuition.



Identity as it relates to Shibboleth is the information associated with a specific person or group. The U-M Identity Provider uses the information (identities) stored in the MCommunity Directory to provide various attributes of those identities to Service Providers which request it.

Identity Provider (IdP)

The originating location for a user, which also provides identity attributes about a person. U-M is an example of an Identity Provider.

IIS (Internet Information Services)

A service which allows management and configuration of a web server. Read more about Internet Information Services.


InCommon is a federation of research and education organizations of which U-M is a member.


Internet2 is a computer networking consortium composed of members of the research and education communities, industry, and government. The membership is mostly higher education institutions, including U-M.


LDAP directory

An LDAP directory is one that supports the Lightweight Directory Access Protocol (LDAP). MCommunity is an example of an LDAP directory. See LDAP Access to the MCommunity Directory for more.



Data or information known about an object in order to provide access to the object such as security or rights management information. In a SAML-based federation, metadata allows Service Providers and Identity Providers to communicate with each other safely and securely. Metadata is the basis for trust and interoperability within a federation. Shibboleth also uses metadata to store information about a configuration, such as the support contact. There are three sources of metadata that may be used:

  • U-M Federation metadata
  • InCommon metadata
  • eduGAIN

Details for using U-M Federation metadata are in Shibboleth Service Provider Configuration Resources.


Participant Operating Practices (POP)

A document describing how InCommon participants need to describe their credential and identity management system. Read the POP for U-M.

Persistent Identifier (eduPersonTargetedID)

This special identifier type serves as a permanent anonymized identifier for an identity. While they vary for each Service Provider to allow privacy to be maintained across systems, they are managed to allow for consistency of preferences and to control liability.


QA (Quality Assurance)

A method of testing that assures quality of a software service before being deployed to production. Testing is typically performed in a non-production environment that is meant to mimic the production environment. This environment can also be referred to as QA, test, or staging. The testing resources for U-M are available in Shibboleth Service Provider Configuration Resources.


Relying Party

The provider (Service Provider or Identity Provider) that is receiving and using information from another provider. For example, when a Service Provider receives attribute assertions from the Identity Provider, the Service Provider would be the relying party.


SAML (Security Assertion Markup Language)

A technical standard issued by the OASIS organization defining a means of communicating authentication-related information between administratively disparate systems.

Service Provider (SP)

A resource hosted on a web server that uses Shibboleth to implement single sign-on. The resource redirects unauthenticated users to an Identity Provider and uses the attributes released by the IdP to determine whether or not to provide the features of the service to a user. U-M Google and U-M Dropbox are examples of service providers at U-M.


An application that enables the sharing of web resources that are subject to access controls such as user IDs and passwords. Shibboleth uses institutional sign-on and directory systems to locally authenticate users with an Identity Provider and pass information about them to the Service Provider to enable that site to make an informed authorization decision.

Single Sign-On

A session or user authentication process that allows a user to use one username and password to access multiple applications without being prompted to log in separately at each one.

Social Identity

A social identity is using the identity that you have stored with a social media service such as Google, Facebook, or Twitter to log in to another service. This allows you to use one identity for multiple services (single sign-on), rather than creating multiple usernames and passwords for multiple services. Examples of websites that use social identities are Pinterest and GoodReads.

SSL (Secure Sockets Layer)

An encrypted transport protocol that uses a certificate and cryptographic keys to ensure secure transmission of data across networks. A URL beginning with https:// utilizes SSL encryption.


The environment used for QA testing.

Support Contact

The support contact is the primary contact for the Service Provider. The support contact may be a help desk or a designated support person.


Technical Contact

The technical contact is the primary contact for all technical issues related to the Service Provider. The technical contact is most often the person responsible for the Shibboleth Service Provider configuration, and works with the Shibboleth team to confirm functionality of the service.


UMID (or entityid)

An eight-digit identification number given to most members of the U-M community. See About UMIDs.


A U-M login ID or username that is part of U-M email addresses. Uniqnames are made up of three to eight alphabetic characters (for example, bjensen).



The login page displayed when logging into Cosign-protected services that require authentication. See Using Web-Authenticated Resources (Weblogin Using Cosign) at U-M for more details about Weblogin.

Where Are You From (WAYF)

A service previously used by the Shibboleth software to determine what a user's home organization is. This service has been replaced by the Discovery Service.


XML (Extensible Markup Language)

A standards-based, electronic data format for transferring or organising information. Often used to transfer data between online services. The metadata and configuration files for Shibboleth are stored in xml.