Federated login with Shibboleth has two major components: Identity Providers (IdP) which authenticate users and release selected information about them, and Service Providers (SP) which accept and process the user data before making access control decisions or passing the information to protected applications. These entities trust each other to properly safeguard user data and sensitive resources.

A Federation in this sense is a group of Identity Providers and Service Providers who have entered into a trust with each other. For example, your ATM card works with various bank federations such as NYCE, PLUS, and CIRRUS. Banks that are members of these federations trust each other's ATM cards. (In this example, your home bank is your Identity Provider, and the ATM machine is the Service Provider.)

Cornell is a member of the InCommon Federation, which is a group of 400+ Higher Education institutions (including Cornell, Columbia, Stanford, Ohio State and many others) and Service Providers (including Microsoft, EBSCO, OCLC, and JSTOR) that trust each other's authentication systems (NetIDs).

Cornell also has its own federation that includes the Ithaca campus NetIDs, Weill Cornell CWIDs, and the Qatar and NYC Tech campus userIDs.

CIT maintains an Identity Provider which can be used with local or vendor applications that would like to do Single Sign On (SSO) with a NetID. This method of authentication is currently used mainly for integrating with vendor applications such as Remedy, Box.com, Qualtrics, Illiad, EBSCO, JSTOR, and Edublogs.

If you have an application that you would like to open up for login to users from other institutions, you could protect the application with the Shibboleth Service Provider instead of CUWebAuth. Some example configurations you could have for your service provider include:

• Allow employees of Cornell University and Columbia University to use the application.
• Allow anyone with a NetID from Cornell University and Columbia University to use the application.
• Allow anyone with a NetID from any InCommon institution to use the application.
• Allow only certain NetIDs from any InCommon institution to use the application.
• Allow only students from any InCommon institution to use the application.

Shibboleth SSO is often used at Cornell by applications that are running at off-campus locations by the vendor. Some examples are Remedy and Box.com.

To consult with us about using Shibboleth at Cornell, email the Identity Management Team.

Visit the project site to learn more about Internet2 Shibboleth.