Set Up an OIDC Service Provider for use with Shibboleth at U-M

Note: OpenID Connect (OIDC) can be used with the U-M Shibboleth IdP and Microsoft IIS if you have an application that supports it. Microsoft provides tools for developers who wish to integrate OIDC in their applications. For additional details about the OIDC standards and documentation, refer to Open ID Connect Core 1.0.

Follow these steps to set up an OIDC Service Provider at U-M:

  1. Install and configure OIDC software
    • The Shibboleth OIDC metadata is available at:
    • You will need to install mod_auth_openidc or another OIDC Relying Party (RP) on Linux and Apache to use OIDC. This can be done with your Operating system's package manager (for example, yum, apt-get, ports, and so on). The mod_auth_openidc RP is a direct replacement for mod_cosign.
  2. Contact the ITS Identity and Access Management team. To submit the Shibboleth Configuration Request Form. You'll need to provide the following information:
    1. The name of your service
    2. The redirect URL(s) for your service
    3. Contact information for the people supporting and configuring your service

The ITS Identity and Access Management team will contact you to let you know that your service has been set up. The IAM team will provide a client ID and secret, and will make the necessary update(s) to the OIDC configuration on the IDP. It may take up to two business days to enable a new OIDC SP in production. 

If you're adding Shibboleth with OIDC  to a vendor-provided service, the Identity and Access Management team is happy to work with the vendor on technical issues, but it is expected that you will maintain the vendor relationship and initiate contact with the vendor when needed. 

Last Updated: 
Tuesday, March 12, 2019