Note: OpenID Connect (OIDC) can be used with the U-M Shibboleth IdP and Microsoft IIS if you have an application that supports it. Microsoft provides tools for developers who wish to integrate OIDC in their applications. For additional details about the OIDC standards and documentation, refer to Open ID Connect Core 1.0.
Steps to set up an OIDC Service Provider at U-M
- Install and configure OIDC software
- The Shibboleth OIDC metadata is available at: https://shibboleth.umich.edu/.well-known/openid-configuration
- Install mod_auth_openidc or another OIDC Relying Party (RP) on Linux, Apache, and IIS to use OIDC. Some applications may have the ability to have OIDC integrated directly into them. This can be done with your Operating system's package manager (for example, yum, apt-get, ports, and so on). The mod_auth_openidc RP is a direct replacement for mod_cosign.
- Contact the ITS Identity and Access Management team. To submit the Shibboleth Configuration Request Form, you'll need to provide the following information:
- The name of your service
- The redirect URL(s) for your service
- Contact information for the people supporting and configuring your service
Resources to assist with installation and configuration
UMich GitHub SSO examples
For SSO examples, including angular-sp django-oidc, flask-authlib-oidc, flask-flsask_oidc, and mod_auth_openidc, see the SSO Examples in GitHub.
Configure Apache HTTP Server to Authenticate Visitors Using OIDC
For instructions on How to configure Apache HTTP Server (httpd) to authenticate visitors using OIDC for Single Sign On, see Configure Apache HTTP Server to Authenticate Visitors Using OIDC.
Drupal-OIDC
The OpenID Connect module provides a pluggable client implementation for the OpenID Connect protocol. The following resources will get you started on how to install and set up the OpenID Connect module.
- New Drupal 7 website setup to authenticate using OIDC
- Configure Drupal 7 website to restrict access to pages using MCommunity groups
- New Drupal 9 website setup to authenticate using OIDC
- Configure Drupal 9 website to restrict access to pages using MCommunity groups
WordPress
- UMich OIDC Login plugin: Configure WordPress Site to Restrict Access Using OIDC Logins and MCommunity Groups
- Alternative: OpenID Connect Generic Client plugin: Install and Configure OpenID Connect (OIDC) Client for WordPress
PHP web applications other than Drupal and PHP
- Migrating existing PHP App to use OIDC for Web Application-based Authentication
- New PHP App setup to authenticate using OIDC
Additional Instructions
Attributes
See U-M Shibboleth Attribute Release Policy and Procedure.
After your service is set up
The ITS Identity and Access Management team will contact you to let you know that your service has been set up. The IAM team will provide a client ID and secret, and will make the necessary update(s) to the OIDC configuration on the IDP. It may take up to two business days to enable a new OIDC SP in production.
If you're adding Shibboleth with OIDC to a vendor-provided service, the Identity and Access Management team is happy to work with the vendor on technical issues, but it is expected that you will maintain the vendor relationship and initiate contact with the vendor when needed.