Use Shibboleth Service Provider software for single sign-on

Last updated: January 31, 2023
Audience: IT Staff / Technical

For customers using Apache or Microsoft IIS web servers, Shibboleth Service Provider (SP) software is free and open source software, developed by and for the research and education community, that supports single sign-on (SSO), federation, and social login. Unlike other SAML software, Shibboleth SP software is integrated and configured in Apache or IIS, rather than being built into your application code.

Want some help?
Need help using Shibboleth Service Provider software for single sign-on with the UW Shibboleth Identity Provider? Contact us for help.

Identity provider entityID and metadata

“urn:mace:incommon:washington.edu” is the entityID for the UW Identity Provider (IdP). We provide several ways to download and refresh our IdP metadata.

Metadata consumption

Metadata refresh

Regardless how you consume the UW Shibboleth IdP metadata, we recommend you refresh and verify the metadata at least daily. Doing so can help prevent service disruptions due to key rollovers and other changes. Shibboleth SP software defaults to refreshing metadata every two hours.

Installation, configuration, and registration

  • Installation and configuration
    Refer to the installation and configuration guides in our Shibboleth SP support wiki.
  • Choose an entityID you own
    Your entityID is a permanent, unique, public identifier that identifies your service to the UW Shibboleth IdP (and potentially other IdPs). We strongly recommend choosing an entityID formatted as a URL that includes a DNS name you own and control. For example, “https://service.uw.edu/saml”. The URL doesn’t have to resolve to an actual web resource; its purpose is to be a unique string that accurately represents ownership.
  • Self-service registration process
    Shibboleth SP software works well with the self-service registration process described in our installation and configuration guides. Only authorized operators can register and update SP metadata using the UW Service Provider Registry, where authorization is based on ownership and control of the DNS name in your entityID.

Attribute release

SAML authentication

  • How to initiate authentication
    Our installation and configuration guides describe basic configuration needed to initiate authentication using Shibboleth on Linux and Windows.
  • How to request multi-factor authentication
    Shibboleth SP software supports configuration for the REFEDS MFA Profile used by the UW Shibboleth IdP for multi-factor authentication. Refer to the “session management topics” in our wiki.
  • How to force reauthentication
    Shibboleth SP software supports reauthentication too. Excess reauthentication can annoy users, so use it judiciously. Refer to the “session management topics” in our wiki.

Access control

Logout

  • Single logout isn’t supported
    Although Shibboleth SP software offers single logout features, the UW Shibboleth IdP doesn’t support the SAML 2.0 Single Logout Profile.
  • Local logout and timeouts
    Shibboleth SP software supports configuration to enable a local logout mechanism and to coordinate between logout and timeouts. Refer to the “session management topics” in our wiki.
  • Logout, single sign-on, and reauthentication
    If you are concerned that single sign-on allows users back into your service, even after using your local logout mechanism, you might consider reauthentication. Forcing reauthentication can reduce the risk of unauthorized access to sensitive data and operations when a user has a valid single sign-on session and leaves their computer unattended and unlocked. With reauthentication, even users who have a valid single sign-on session will be forced to authenticate again.

Other operational practices

  • Shibboleth software announcements
    All customers who rely on Shibboleth SP software should subscribe to the Shibboleth consortium’s official “announce” mailing list. This is a low traffic list used to announce new releases and security advisories.
  • Service announcements and customer notifications
    We send email to the contacts provided during service provider registration to communicate information about outages, upgrades, and other changes, as well as notifications related to SP metadata registration, updates, and attribute requests.
  • Security incident response
    If your service is involved in a security incident involving use of SAML and the UW Shibboleth Identity Provider, normal reporting and security incident response apply. If you plan to adopt the Security Incident Response Trust Framework for Federated Identity (SIRTFI), please contact us; the UW Identity Provider doesn’t implement SIRTFI yet.
  • Identity provider key rollovers
    Shibboleth SP software supports multiple certificates (signing keys) for a single entity in IdP metadata, and therefore can seamlessly handle rare occasions when we need to change the certificate we publish in the UW Shibboleth IdP metadata. This is known as a “key rollover”.

Related information

  • General information for SAML integration
    If you’re curious what information we provide to customers using other SAML 2.0 software besides Shibboleth, refer to Use SAML 2.0 for single sign-on.