Logging in to Shibboleth-Enabled Services and Websites

Shibboleth is used to allow members of the U-M community to log in to websites at other institutions that are members of the InCommon Federation using their uniqname and UMICH (Level-1) password. It is also used to enable web login to U-M Google, U-M Dropbox, and other cloud-based services used at the university.

Contents

• Logging in to a Service that Uses Shibboleth
• What Is Shibboleth?
• Shibboleth and Federations
• Being a Service Provider (SP)
• Sponsoring an External Vendor or Institution
• Logging Out

Logging in to a Service that Uses Shibboleth

Shibboleth is used to let you log in via the web to some resources outside the university and to cloud-based services used at U-M with your uniqname and UMICH (Level-1) password.

1. Click the login link for the website you wish to access.

2. If you are accessing a service or website outside of the university, you may be asked to identify your institution. Select University of Michigan.

3. If you see a login screen other than the Weblogin page, you may need to enter your U-M email address (in the form of [email protected]) and click a Continue button to get to the Weblogin page.

4. If you have not already logged in through U-M Weblogin, you'll see the standard login page. Log in with your uniqname and UMICH password, the one you use to enter Wolverine Access.

5. Depending on the service you are accessing, you may see an additional screen asking you to confirm release of information about you (attributes such as your name and uniqname) that will be shared with the other service provider. If you do not see such a screen, the service you are accessing has been pre-approved as a U-M service to receive these attributes, or you have already confirmed release of your information to this service provider with the service in the past year. Some services require annual confirmation, as well as confirmation if your attributes change.
   Why this information is shared: Service providers require a minimal set of attributes (such as your name, uniqname, and university affiliation) to identify you and verify that you are authorized to access the service. U-M data stewards have already approved release of the data that you may find in the confirmation window.

   

   If you agree: If you are willing to release the attributes listed to the service provider, click Confirm to allow release and log in.

   If you don't agree: If you do not want the listed attributes released to the service provider, click Decline, but understand that the service you want to access will then not allow you to log in.

What Is Shibboleth?

Shibboleth is a behind-the-scenes mechanism that allows you to access secure sites at other institutions, organizations, and agencies, as well as cloud-based services available at U-M, by using your U-M uniqname and UMICH (Level-1) password. With Shibboleth, you don't need yet another user ID and password for every single service. It is intended to make things easier for you.

Shibboleth is a two-part process:

1. You authenticate through U-M Weblogin.
2. The requested institution determines whether it will authorize your access based on the attributes provided.

It's also a single sign-on process. After you've been authenticated to one site within a federation, you can visit other sites for which you are authorized within that federation without having to authenticate again. This privilege lasts until you close your session or the session expires.

A few other things of interest:

• U-M supports Shibboleth, both to access external and cloud-based services and websites and to allow authorized non-U-M individuals to log in to U-M services using their own home login credentials.

• Many institutions, organizations, and agencies support Shibboleth.

• The key to gaining access to a Shibboleth-supported site is obtaining a URL.

• You are responsible for following both U-M's policies and procedures as well as those of the site or service.

Shibboleth and Federations

Shibboleth is federated identity management software. With federated identity management, institutions join together in a group—a federation—and agree to trust each other's identity credentials for logging in to websites.

Shibboleth allows people to log in to web resources at other institutions using the ID and password they use at their own institution. It's kind of like when banks allow you to use your ATM card at the ATM of a bank where you don't have an account.

U-M belongs to the InCommon federation. Additionally, we can allow access to members of the UK Access Management Federation for Education and Research, although they do not reciprocate. A list of member institutions is available at the respective sites.

To learn more, see Shibboleth at U-M.

Being a Service Provider (SP)

Your unit can use Shibboleth to enable login to a cloud-based service or to a service in your own unit. For more information, see these resources:

• Shibboleth at U-M
• Getting Started With Shibboleth
• Shibboleth Support

Sponsoring an External Vendor or Institution

You or your unit can sponsor an external vendor for access from U-M. For example, the U-M Library may sponsor aggregated database companies, such as ProQuest. Contact your IT staff with your request.

U-M IT staff members can request configuration of the U-M Shibboleth IdP to allow access to a Shibboleth-enabled application or service. For more information, see Shibboleth Request Forms.

Logging Out

When you click a logout button within a Shibboleth-enabled website or service, you likely will not be completely logged out. In most cases, you will be logged out of the website or service, but not logged out of Shibboleth itself. For this reason, if you return to the website or service, you may be automatically logged back in because of your open Shibboleth session. Depending on the service and the web browser you are using, you may remain logged in to Shibboleth even after quitting or closing your web browser.