Shibboleth (SAML) setup

If your school/unit/department is implementing Shibboleth authentication for an application, use the following configuration information.

This document is intended for use by Northwestern staff who are administering an application, usually hosted in the cloud, that will be integrated with NU's "Online Passport" single sign-on (SSO) system. The technology used to accomplish this is called SAML, short for "security assertion markup language".


SAML federation requires that NU's SSO system exchange SAML "metadata" with your vendor's application. Metadata consists of encryption keys, service endpoints, and other data that allow the two systems to talk with each other. A small text file holds this information, which can be exchanged in several ways:
  1. Join a federation, such as InCommon All federation members download each other's metadata from a central repository; this is the best method
  2. Download metadata from a given URL
  3. Exchange metadata manually through email or similar channels
Northwestern is a member of InCommon and our metadata is registered there. Our metadata can also be obtained from the following URLs:

Deployment Checklist

  1. If you haven't already done so, fill out this form to create a ticket for the NUIT Identity Services team to work with you
  2. Ask your vendor for documentation about setting up SAML Federation, and provide that to NUIT
  3. Determine whether you will perform the application-side configuration, or whether the vendor's support team does this for you
  4. Determine whether you will have a test environment for your application, in addition to the production system
  5. Ask your vendor (or refer to the documentation) if they are InCommon members
  6. If not, obtain the URL from which we can download metadata; or obtain a text file with the metadata to pass on to NUIT
  7. Ask your vendor (or refer to the documentation) which data attributes must be released during login, in order for the application to function. Common items are netid, email, first/last name.
  8. Ask your vendor (or refer to the documentation) to see if there are any other special requirements - things like encryption/signing of SAML assertions/responses, setting the SAML nameID header, etc.
  9. Provide Northwestern's metadata URLs (above) to the vendor; or note them for your own use if you will be configuring the application

Logout URL

If your application supports configuration of a logout URL, you can use one of these:
  • test:
  • production:

Duo User Experience

Shibboleth uses "out of the box" Duo functionality. This means that your application's users will need to re-authenticate with Duo even if they've authenticated with Duo Mobile with another application.

Keywords: Shibboleth fed saml shib federation SAML
Created: 2020-07-10 15:52:45
Updated: 2020-12-14 17:17:47

Was this helpful?
0% helpful - 1 review
Print Article


Article ID: 1096
Thu 5/12/22 12:38 PM
Mon 1/8/24 1:21 PM