Do you have a web application that you would like to make accessible to people from other institutions but not the entire internet? Then you will want to read more about Shibboleth at Cornell!
Shibboleth is standards-based, open source software from Internet2 which provides federated authentication/authorization for web-enabled services. In other words, Shibboleth provides Web Single SignOn (SSO) across or within organizational boundaries. Shibboleth at Cornell can provide applications with user attributes from the directory for personalization purposes following user login.
A Federation is a group of providers that trust each other's credentials. For example, think about how your ATM card works with various bank federations such as NYCE, PLUS, and CIRRUS. Banks that are members of these federations trust each other's ATM cards. Likewise, the InCommon Federation is a group of 50+ Higher Education institutions (including Cornell, Columbia, Stanford, Ohio State and many others) that trust each other's authentication systems. InCommon also includes sponsored participants such as Apple iTunes, Microsoft, EBSCO, OCLC, and JSTOR. InCommon uses Shibboleth as its federating software. Read more about the InCommon Federation.
Currently, library patrons are the main users of Shibboleth at Cornell. The Illiad (interlibrary loan) site is enabled for Shibboleth login. The Cornell University Library is actively investigating using Shibboleth for other applications.
Shibboleth software has two components:
Identity Provider (IdP) - This component provides the authentication and authorization for each separate identity store. At Cornell, our identity provider authenticates via cuwebauth and our Kerberos system, and authorizes via our electronic directory.
Service Provider (SP) - This component protects a web application like the EBSCO website. The service provider knows how to ask “Where are you from?” and then asks your institution's Identity Provider to authenticate and authorize you.
Both an IdP and an SP can be configured to talk to more than one Federation. Read more about Shibboleth at the Internet2 site.
To consult with us about using Shibboleth at Cornell, please email the Identity Management Team.
You can also check our Shibboleth at Cornell Confluence site.