The information in this article is intended for technical staff who create, maintain, and support applications that require authentication. Most Cornell faculty, students, and staff do not need this information.
Shibboleth Identity Provider (IdP) is an open-source implementation of web single sign-on using the SAML protocol. The Shibboleth Service Provider can often be used as a replacement for CUWebAuth. The advantage of using Shibboleth is that you can enable access to your site for users from other institutions that are members of the InCommon Federation. You can restrict access to include only certain members of InCommon and/or people at member institutions who have certain attributes (e.g., faculty, student).
Cornell is a member of the InCommon Federation, a group of more than 1,000 higher education institutions (e.g., Cornell, Columbia, Stanford, Ohio State) and service providers (e.g., Microsoft, EBSCO, OCLC, JSTOR) that trust each other's authentication systems. Visit the InCommon Federation site for more information and a list of participating organizations.
Weill Cornell Medicine maintains its own separate Shibboleth Identity Provider.
Security Assertion Markup Language (SAML) is also a popular method for enabling cloud vendor sites to authenticate and authorize Cornell users. Some examples are Workday and Box.com. Integrators outside of InCommon who would like to make use of Cornell's Identity Provider may point to the test IdP first and work through any initial issues. When you are ready to move your integration into production, submit a request to start the production integration process. Cornell Information Technologies requires that any new Service Provider include a certificate for encryption in the metadata.
Not applicable or information not available.