Set Up an OIDC Service Provider for use with Shibboleth at U-M

Note: OpenID Connect (OIDC) can be used with the U-M Shibboleth IdP and Microsoft IIS if you have an application that supports it. Microsoft provides tools for developers who wish to integrate OIDC in their applications. For additional details about the OIDC standards and documentation, refer to Open ID Connect Core 1.0.

Steps to set up an OIDC Service Provider at U-M

  1. Install and configure OIDC software
    1. The Shibboleth OIDC metadata is available at: https://shibboleth.umich.edu/.well-known/openid-configuration
    2. Install mod_auth_openidc or another OIDC Relying Party (RP) on Linux, Apache, and IIS to use OIDC. Some applications may have the ability to have OIDC integrated directly into them. This can be done with your Operating system's package manager (for example, yum, apt-get, ports, and so on). The mod_auth_openidc RP is a direct replacement for mod_cosign.
  2. Contact the ITS Identity and Access Management team. To submit the Shibboleth Configuration Request Form, you'll need to provide the following information:
    1. The name of your service
    2. The redirect URL(s) for your service
    3. Contact information for the people supporting and configuring your service

Resources to assist with installation and configuration

UMich gitlab SSO examples

For SSO examples, including angular-sp django-oidc, flask-authlib-oidc, flask-flsask_oidc, and mod_auth_openidc, see the OIDC project in Gitlab.

Configure Apache HTTP Server to Authenticate Visitors Using OIDC

For instructions on How to configure Apache HTTP Server (httpd) to authenticate visitors using OIDC for Single Sign On, see Configure Apache HTTP Server to Authenticate Visitors Using OIDC.

Drupal-OIDC

The OpenID Connect module provides a pluggable client implementation for the OpenID Connect protocol. This guide will get you started on how to install and set up the OpenID Connect module.

Attributes

See U-M Shibboleth Attribute Release Policy and Procedure.

After your service is set up

The ITS Identity and Access Management team will contact you to let you know that your service has been set up. The IAM team will provide a client ID and secret, and will make the necessary update(s) to the OIDC configuration on the IDP. It may take up to two business days to enable a new OIDC SP in production. 

If you're adding Shibboleth with OIDC  to a vendor-provided service, the Identity and Access Management team is happy to work with the vendor on technical issues, but it is expected that you will maintain the vendor relationship and initiate contact with the vendor when needed. 
 

Tags: 
Last Updated: 
Monday, September 19, 2022