Skip to main content

Shibboleth FAQ

This article applies to: Shibboleth


Does the Cornell Identity Provider provide a logout service?

No. Our credentials remain valid until you close your browser. We recommend that you give the user instructions to quit the browser if they want to log out. If your application has a logout item in its menus, you might consider linking that item to a message instructing the user to quit the browser.
An example of a logout button popup reading "Please close or exit your browser to complete the logout process."

Does Cornell Shibboleth work with Weill Cornell Medicine CWIDs?

No. Weill has its own Identity Provider. If your application service provider supports multiple Identity Providers, a separate integration request can be sent to Weill Cornell Medicine IT.

Does Cornell Shibboleth work with GuestIDs?

No. Cornell IDP only supports Cornell NetID login.

Does the Cornell Identity Provider provide high availability?

Yes, the Identity Provider is behind a load balancer that provides load balancing and failover.

What attributes does the Cornell Identity Provider release?

Currently we release the following public attributes. Other attributes are available but must be approved by the relevant data stewards; please send email to idmgmt@cornell.edu if you don't see the attribute you are looking for.

Attribute Name In Enterprise Directory Attribute Name In SAML Assertion Attribute Friendly Name in SAML Assertion
edupersonprimaryaffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.5 edupersonprimaryaffiliation

cn (commonName)

urn:oid:2.5.4.3 cn
eduPersonPrincipalName (netid@cornell.edu) urn:oid:1.3.6.1.4.1.5923.1.1.1.6 eduPersonPrincipalName
givenName (first name) urn:oid:2.5.4.42 givenName
sn (last name) urn:oid:2.5.4.4 sn
displayName urn:oid:2.16.840.1.113730.3.1.241 displayName
uid (netid) urn:oid:0.9.2342.19200300.100.1.1 uid
eduPersonOrgDN urn:oid:1.3.6.1.4.1.5923.1.1.1.3 eduPersonOrgDN
mail urn:oid:0.9.2342.19200300.100.1.3 mail
eduPersonAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.1 eduPersonAffiliation
eduPersonScopedAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.9 eduPersonScopedAffiliation
eduPersonEntitlement urn:oid:1.3.6.1.4.1.5923.1.1.1.7 eduPersonEntitlement

Can I get a Cornell NetID for testing purposes?

If you don't already have a Cornell NetID, you might be able to obtain a Sponsored NetID. Please talk to the person who is your contact at Cornell, or email idmgmt@cornell.edu.

About this Article

Last updated: 

Thursday, July 25, 2019 - 8:14am

Audience: 

IT Professionals

Was this page helpful?

Your feedback helps improve the site.

Comments?