This article applies to: WebSSO
As part of the WebSSO Modernization effort, CIT is asking website administrators who currently use CUWebAuth to convert to using SAML/Shibboleth instead, so that CUWebAuth and CUWebLogin can be retired. Any SAML SP should work, but CIT's recommendation is to use the Shibboleth Service Provider (SP), and support efforts will focus on that implementation.
October 31, 2020
New CUWebAuth integrations will no longer be available. If you are setting up a new website, please set it up to use SAML/Shibboleth instead of using CUWebAuth.
September 30, 2021
CUWebAuth and CUWebLogin will be retired; all services must be converted to SAML/Shibboleth before this date.
Instructions and Documentation
- Installation of the Shibboleth SP on Linux
- Installation of the Shibboleth SP on Windows
- Converting CUWebAuth to Shibboleth Service Provider (SP) on the Apache web server
- Shibboleth SP documentation
- Shibboleth at Cornell documentation
Please consult the instructions and documentation above. You may contact the IT Service Desk for general information. If you are having trouble with your migration, please contact Identity Management.
CIT recently created an e-list: cornell-shib-users-L@cornell.edu. It will be used for
- peer support among the people who install and admin Shibboleth
- informal support from CIT
- important announcements related to the Shibboleth service at Cornell (new versions, changes to the service, etc.)
To join the list, send an email to cornell-shib-users-Lemail@example.com with the word join as the subject line. Leave the body of the message blank.
For the most part, conversion from CUWebAuth to the Shibboleth SP is fairly straightforward. But there are some narrow use cases in which special features of CUWebAuth cannot be replicated using the Shibboleth SP. In these cases, the conversion will be more involved because some other solution will have to be found. If you are using one of the following features, please contact Identity Management to discuss options.
- CUWebAuth Portal Proxy (usually used for setting up security sessions between a front-end web page and a back-end service)
- CUWebAuth Portal Permit (usually used for AD group lookups)
- KProxy or DAV Portal (usually used for WebDAV file transfer)
- Permit Bridge/Getpermit (used to view or manipulate AD groups)
Does My Website Need to Be Migrated?
CIT maintains a list of websites that still need to be migrated.