Shibboleth, Federating with external vendors
The desired situation
You want to use Shibboleth to securely authenticate people to a third party service provider, so that University people are allowed to use their NetIDs and passwords to access appropriate access to online resources without needing to create separate accounts in the third party system. (A common example involves access to online course materials provided by a textbook publisher.)
If the vendor is a member of the InCommon federation, the process will be simpler than if they don't, but it's still possible to make the connection work.
Before you start
If the vendor has not done business with the University before, you must fill out a Vendor Risk Assessment form here.
What to tell the vendor
- The University of Illinois is a member of InCommon. The following default attributes are released to Service Providers in InCommon:
- eduPersonPrincipalName
- SAML Name: urn:oid:1.3.6.1.4.1.5923.1.1.1.6
- Example: NetID@illinois.edu
- mail
- SAML Name: urn:oid:0.9.2342.19200300.100.1.3
- Example: NetID@illinois.edu
- eduPersonScopedAffiliation
- SAML Name: urn:oid:1.3.6.1.4.1.5923.1.1.1.9
- Example: faculty@illinois.edu
- eduPersonTargetedID
- SAML Name: urn:oid:1.3.6.1.4.1.5923.1.1.1.10
- Example: Persistent identifier
- givenName
- SAML Name: urn:oid:2.5.4.42
- Example: first name, ex: john
- sn
- SAML Name: urn:oid:2.5.4.4
- Example: surname/last name, ex: doe
- displayName
- SAML Name: urn:oid:2.16.840.1.113730.3.1.241
- Example: John Doe
- eduPersonPrincipalName
- Our entity ID is urn:mace:incommon:uiuc.edu.
- Note: We strongly prefer vendors to take our metadata from InCommon directly. While it is possible to get our metadata from https://mdq.incommon.org/entities/urn:mace:incommon:uiuc.edu instead, consuming metadata from the local URL has known risks.
- If the vendor can't accept XML metadata from our campus IDP, they may ask for a "single sign on URL" or a "login URL."
They will need three pieces of information:- Either the POST or the redirect form of the login URL:
- POST: https://shibboleth.illinois.edu/idp/profile/SAML2/POST/SSO
- Redirect: https://shibboleth.illinois.edu/idp/profile/SAML2/Redirect/SSO
- The logout URL:
- https://shibboleth.illinois.edu/idp/profile/Logout
- The X509 certificate file:
- Either the POST or the redirect form of the login URL:
Ask the vendor for this connection information:
- What name identifier format does your service require from our campus Identity Provider?
- The vendor may need a name identifier in the form of an email address, a persistent value (such as an encrypted version of the person's UIN), or a transient value (such as a random unique number used for this particular system). The transient value is recommended when possible.
- What other attributes does your service require from our campus Identity Provider?
- Other information such as first and last name, email address, or affiliation with the University may be relevant to providing resources to particular individuals.
- Do you accept encrypted assertions?
- We prefer to use encrypted assertions, but if unencrypted assertions are necessary, please contact shibboleth-mgr@illinois.edu to make arrangements.
- Are you a member of InCommon?
- If so:
- What is your Entity ID?
- If not:
- How do we obtain your service provider metadata?
- This will be an XML document that describes how our campus Shibboleth identity provider communicates with the vendor.
- If the vendor does not have a document like this, you'll need to ask them the following three questions.
- How do we obtain your service provider metadata?
- If you don't have either InCommon membership or a service provider metadata XML document:
- What is your Entity ID?
- What is your assertion consumer service endpoint?
- This is the URL to which we should send our assertion from the IDP.
- What are your X509 SAML certificates?
- These are the certificates used for signing and encryption. They're different from an SSL certificate protecting a website.
- What is your Entity ID?
- If so:
Give the vendor's information to shibboleth-mgr
After you've exchanged this information with the vendor, send this information to shibboleth-mgr@illinois.edu so that we can configure our campus IDP to communicate with the vendor's service.