Shibboleth (SAML) setup

If your school/unit/department is implementing Shibboleth authentication for an application, use the following configuration information.

This document is intended for use by Northwestern staff who are administering an application, usually hosted in the cloud, that will be integrated with NU's "Online Passport" single sign-on (SSO) system. The technology used to accomplish this is called SAML, short for "security assertion markup language".

Metadata

SAML federation requires that NU's SSO system exchange SAML "metadata" with your vendor's application. Metadata consists of encryption keys, service endpoints, and other data that allow the two systems to talk with each other. A small text file holds this information, which can be exchanged in several ways:

Join a federation, such as InCommon http://www.incommon.org. All federation members download each other's metadata from a central repository; this is the best method
Download metadata from a given URL
Exchange metadata manually through email or similar channels

Northwestern is a member of InCommon and our metadata is registered there. Our metadata can also be obtained from the following URLs:

test: https://fed-uat.it.northwestern.edu/idp/shibboleth
production: https://fed.it.northwestern.edu/idp/shibboleth

Deployment Checklist

If you haven't already done so, fill out this form https://services.northwestern.edu/TDClient/30/Portal/Requests/TicketRequests/NewForm?ID=3cLCs83krqs_&RequestorType=Service to create a ticket for the NUIT Identity Services team to work with you
Ask your vendor for documentation about setting up SAML Federation, and provide that to NUIT
Determine whether you will perform the application-side configuration, or whether the vendor's support team does this for you
Determine whether you will have a test environment for your application, in addition to the production system
Ask your vendor (or refer to the documentation) if they are InCommon members
If not, obtain the URL from which we can download metadata; or obtain a text file with the metadata to pass on to NUIT
Ask your vendor (or refer to the documentation) which data attributes must be released during login, in order for the application to function. Common items are netid, email, first/last name.
Ask your vendor (or refer to the documentation) to see if there are any other special requirements - things like encryption/signing of SAML assertions/responses, setting the SAML nameID header, etc.
Provide Northwestern's metadata URLs (above) to the vendor; or note them for your own use if you will be configuring the application

Logout URL

If your application supports configuration of a logout URL, you can use one of these:

test: https://uat-nusso.it.northwestern.edu/nusso/XUI/?realm=/northwestern#logout/
production: https://prd-nusso.it.northwestern.edu/nusso/XUI/?realm=/northwestern#logout/

Duo User Experience

Shibboleth uses "out of the box" Duo functionality. This means that your application's users will need to re-authenticate with Duo even if they've authenticated with Duo Mobile with another application.

Keywords: Shibboleth fed saml shib federation SAML
Created: 2020-07-10 15:52:45
Updated: 2020-12-14 17:17:47

Was this helpful?

0% helpful - 1 review

Details

Article ID: 1096

Created

Thu 5/12/22 12:38 PM

Modified

Mon 1/8/24 1:21 PM

Updating...