Shibboleth Identity Provider (IdP) is an open-source implementation of web single sign-on using the SAML protocol. Shibboleth allows you to enable access to your site for users from other institutions that are members of the InCommon Federation. You can restrict access to include only certain members of InCommon and/or people at member institutions who have certain attributes (for example, faculty, student).

Cornell is a member of the InCommon Federation, a group of more than 1,000 higher education institutions (for example, Cornell, Columbia, Stanford, Ohio State) and service providers (for example, Microsoft, EBSCO, OCLC, JSTOR) that trust each other's authentication systems. Visit the InCommon Federation site for more information and a list of participating organizations.

Administrators will probably not need to set up a Shibboleth Identity Provider, but will be using the CIT-maintained Identity Provider (and possibly others) to authenticate users. Note, however, that Weill Cornell Medicine maintains its own separate Shibboleth Identity Provider.

Security Assertion Markup Language (SAML) is also a popular method for enabling cloud vendor sites to authenticate and authorize Cornell users. Some examples are Workday and Box.com. Integrators outside of InCommon who would like to make use of Cornell's Identity Provider may point to the test IdP first and work through any initial issues. When you are ready to move your integration into production, submit a request to start the production integration process. Cornell Information Technologies requires that any new Service Provider include a certificate for encryption in the metadata.