Shibboleth is a web-based Single Sign-On infrastructure. It is based on SAML, a standard for the exchange of authentication data. Shibboleth has been adopted by McMaster University as the basis for federated Single Sign-On for locally based applications and between other academic institutions. Shibboleth allows users to authenticate using their Macid via a local institutional service (IdP) to gain access to local and remote resources (SPs) that participate in the federation. SAML (Security Assertion Markup Language) is an authentication and authorization protocol used to power single-sign-on (SSO) integrations via the MacId login. SAML is part of a coordinated ensemble of technologies that protect the university’s restricted data while enabling not just staff and students but also trusted colleagues at other institutions to access resources with a macid login action. Examples of SAML in use at McMaster University include partner-provided services such as Gmail Student Login and Office 365.
SAML/Shibboleth And Federation Membership
Through the SAML/Shibboleth Service, McMaster University is a member of several education federations:
The InCommon Federation manages federated authentication services between higher education institutions and their sponsored partners throughout North America. As a member, McMaster faculty, staff, and students are able to access resources using their McMaster University MacID account. All participants in this federation use a common set of policies and practices to exchange information about their users and resources in order to share access and enable collaboration between participants. The underlying technology used to support federated authentication between participants in the InCommon Federation is the Shibboleth System, with McMaster University’s centralized authentication service providing the single sign-on protocol for authenticating faculty, staff, and students using their MacID account.
The Canadian Access Federation (CAF) is another mayor federation McMaster University belongs to via membership to CANARIE. Participation in CAF enhances the user experience of researchers, students and faculty by allowing the use of their McMaster issued macid account to seamlessly access trusted content, services, and applications any time, from any place. Membership to CANARIE also includes access to EDUROAM, which allows for seamless Wi-Fi access through eduroam at over 17,000 locations in 100 countries worldwide.
Accessing The SAML/Shibboleth Environment
McMaster University runs a SAML/Shibboleth Identity Provider service (IdP) which is the central component of a federated environment. Details and how to gain access can be found here.
- Neither McAuth nor LDAP are valid options for applications hosted off campus.
- There is no restrictions for internet/cloud based application integrations.
- Support for additional authorization metadata. We can assert extra authorization attributes to your particular application.
- SAML attributes (data fields) are available depending on your application’s needs.
- In the long run all partner applications should be integrated via Shibboleth/SAML.
SAML Attribute Release
In some cases and to allow for a more specific access to restricted content, certain SAML/Shibboleth-enabled sites do require EXTRA information about the user. I.e. some sites need to know name, e-mail address, or a specific affiliation or academic info. Some other applications merely want to know whether the user is a McMaster faculty, staff, or student, and do not depend upon the particular identity of the user in question, only that McMaster is willing to vouch for them. During the integration process, applications making use of SAML/Shibboleth must indicate as precisely as possible which attributes would be required for authorization purposes.
In order to assist application developers, there are available login accounts that can be used for testing purposes. Each test account represents a typical campus affiliation (or combination).
There are three types of test accounts:
- Student Test Account – a typical student profile that includes faculty and program
- Staff Test Account – a typical staff account that includes department and job
- Student/Staff Account – a staff account that also has some academic details