Network & Security

Web Single Sign-On

Overview

The goal of Web Single Sign-On is to provide an easy to use and secure authentication environment for users.  At Creighton, the standard platform for accomplishing this objective uses Shibboleth  software and SAML (security assertion markup language) developed by Internet2 .  This allows for not only true single sign-on, but also enables federation between other universities and other organizations.  Toward that end, Creighton University is a member of the InCommon Federation , a collection of higher education institutions, research organizations, government entities, and commercial entities who operate in the higher ed arena.

About

The single sign-on system, Shibboleth, has two primary components: the service provider and the identity provider.  The service provider interacts with the web server (Apache or IIS) where the web application resides and manages the interaction between it and the identity provider.  The identity provider is a centralized service that handles the authentication and releases identity information (attributes) to the service provider (and ultimately the application).  The identity provider does not generally store identity information itself, but must be connected to a back-end storage system such as AD/LDAP or a database.  A single identity provider can provide information to many service providers (even ones managed by other organizations), and a single service provider may interact with a single identity provider (as is the case for most CU apps), or it may interact with many if it has users from many different organizations.  Usually a discovery service is used in this case to allow end-users to select the identity provider from their home organization.

Additional Resources

SSO Definitions | Available Attributes | URN registry | Set up a new SP