Shibboleth Support

General Assistance

Contact the ITS Service Center with questions about logging in to any U-M Weblogin resource, including those that use Shibboleth.

For general information about Weblogin at U-M, see Using Web-Authenticated Resources (Weblogin Using Cosign) at U-M.

Logging in to a Shibboleth-Enabled Service

For members of the U-M community, logging in to a Shibboleth-enabled service (such as U-M Google or U-M Dropbox) looks similar to logging in through U-M Weblogin. To learn more about how it works, see Logging in to Shibboleth-Enabled Services and Websites, which describes what happens when you log in to a Shibboleth-enabled service provided by U-M or the InCommon Federation.

Logging Out of a Shibboleth-Enabled Service

Multiple sessions may be active when a person uses Shibboleth, so managing logout can be complicated. After authenticating, a user may have active sessions with the web application, the Service Provider (SP), and the Identity Provider (IdP).

When a user clicks a logout button in an SP's web application, their web application and SP sessions are ended, but they are not usually logged out of the IdP. Closing the browser may not end the IdP session. If the user revisits the web application, they are automatically re-authenticated because they still have a valid IdP session cookie.

For more about Shibboleth and logging out, see

Configure Shibboleth Authentication for Your Service

To make a web resource available as a Service Provider (SP) with Shibboleth authentication, U-M IT staff can use either Security Assertion Markup Language (SAML) or OpenID Connect (OIDC), two industry standard protocols. This allows it to work with a wide variety of vendor-provided software and services. See Shibboleth Protocol Options for an explanation of differences in the protocol choices.

For the overall configuration steps, refer to:

Configuration Assistance

Additional assistance for U-M IT staff members:

Additional Shibboleth Resources