Contact the ITS Service Center with questions about logging in to any U-M Weblogin resource, including those that use Shibboleth.
For general information about Weblogin at U-M, see Using Web-Authenticated Resources (Weblogin Using Cosign) at U-M.
For members of the U-M community, logging in to a Shibboleth-enabled service (such as U-M Google or U-M Box) looks similar to logging in through U-M Weblogin. To learn more about how it works, see Logging in to Shibboleth-Enabled Services and Websites, which describes what happens when you log in to a Shibboleth-enabled service provided by U-M or the InCommon Federation.
Multiple sessions may be active when a person uses Shibboleth, so managing logout can be complicated. After authenticating, a user may have active sessions with the web application, the Service Provider (SP), and the Identity Provider (IdP).
When a user clicks a logout button in an SP's web application, their web application and SP sessions are ended, but they are not usually logged out of the IdP. Closing the browser may not end the IdP session. If the user revisits the web application, they are automatically re-authenticated because they still have a valid IdP session cookie.
For more about Shibboleth and logging out, see
- Single Logout (SLO) Issues (Shibboleth Wiki)
- Identity Provider and Service Provider Single Logout (University of Texas at Austin)
To make a web resource available as a Service Provider (SP) with Shibboleth authentication, U-M IT staff can use either Security Assertion Markup Language (SAML) or OpenID Connect (OIDC), two industry standard protocols. This allows it to work with a wide variety of vendor-provided software and services. See Shibboleth Protocol Options for an explanation of differences in the protocol choices.
For the overall configuration steps, refer to:
- Set Up a SAML Service Provider for use with Shibboleth at U-M
- Set Up an OIDC Service Provider for use with Shibboleth at U-M
Additional assistance for U-M IT staff members:
- To request a Shibboleth configuration, submit the Shibboleth Configuration Request Form.
- For assistance with your Shibboleth installation, see the available documentation provided by ITS, or the Shibboleth Project wiki.
- Questions or concerns? Send email to: firstname.lastname@example.org.