Skip to main content

Shibboleth

Authentication often used for off-campus vendor services

The information in this article is intended for technical staff who create, maintain, and support applications that require authentication. Most Cornell faculty, staff, and students do not need this information.

Shibboleth is a higher education community implementation of web single-sign-on using the SAML protocol. The Shibboleth Service Provider can often be used as a replacement for CUWebAuth. The advantage of using Shibboleth is that you can enable access to your site to users from other institutions that are members of the InCommon Federation (see next paragraph). You can restrict access to include only certain members of InCommon and/or people at member institutions who have certain attributes, such as faculty, student, etc.

Cornell is a member of the InCommon Federation, which is a group of 400+ higher education institutions (including Cornell, Columbia, Stanford, Ohio State, and many others) and service providers (including Microsoft, EBSCO, OCLC, and JSTOR) that trust each other's authentication systems (NetIDs). See the InCommon Federation article for more information and a list of college and university members.

If you have an application that you would like to open up for login to users from other institutions, you could protect the application with the Shibboleth service provider instead of CUWebAuth.

GuestIDs cannot be used to authenticate via Shibboleth. NetIDs and Sponsored NetIDs can be granted access via Shibboleth. Weill Cornell maintains its own, separate Shibboleth identity provider.

SAML is also a popular method for enabling cloud vendor sites to authenticate and authorize Cornell users. Some examples are Remedy and Box.com. Integrators outside of InCommon who would like to make use of Cornell's Identity Provider may point to the test IDP first and work through any initial issues. When you are ready to move your integration into production, please submit a request to start the production integration process. Cornell Information Technology requires that all new service providers include a certificate for encryption in the metadata.


Service Details

Regulated Data:

Not applicable or information not available.

Was this page helpful?

Your feedback helps improve the site.

Comments?