Single Sign On

Audience: IT


Bluestem is the primary single sign-on authentication method supported at UIC. Only UIC users can authenticate via Bluestem.

Shibboleth (SAML) is a framework that allows applications to connect to various authentication services on the Internet (including UIC's Bluestem SSO). Shibboleth can be used to allow access to your application from any Organization on the Internet that supports SAML. Conversely, it can also be used to allow UIC users access to third party applications (that support SAML) using their UIC credentials. Note that such third party applications must be registered with the InCommon Federation:

For more information regarding the yearly InCommon Federation fee structure see (sponsored partners).

Shibboleth Discovery Service - A discovery service is a web page that asks you to select your institution, after which you are redirected to that institution's authentication service. The discovery service for (hosted by for instance asks you to select one of UIUC, UIC, or UIS. If you misclicked and selected the wrong institution you can reset your selection for the discovery service by going to this link:


ACCC provides Bluestem protection for websites hosted with and Web servers for protecting files, PHP programs, and CGI scripts. However, you may have data that requires extra-special protection (e.g. financial or medical), or you may want to run a Web application (e.g. database) or write in a language for which these main servers are not adequate.

In such a case, if you are capable of running your own Web server (i.e. physically secure room, maintain security patches, manage user accounts, run backups, install and troubleshoot software, keep, and inspect logs, or use an ACCC Virtual Machine), you can make your web server into a Bluestem Client or Shibboleth Client application server. This will allow your web scripts to authenticate users, using their normal UIC NetID and password, in a very secure manner.


Bluestem on people and webhost

Requires the creation of an allowed.NetIDs file in the directory you want to protect.

Bluestem on a custom server

  • You must run an SSL-capable web server. Apache and IIS are fine. And, of course, the web server must be configured to run CGI scripts.
  • You must obtain an SSL certificate.
  • You must be able to maintain your server, providing all the functions that a good system administrator would provide.



There is no charge for this service.


Further Information 

ACCC Service Level Agreement (SLA)

Service Request Fulfillment Time

2-4 business days.

Incident Resolution Time

2-4 business days.

Service Availability 24x7
Maintenance Window(s) Approved ACCC maintenance window(s):
Service Notification Channel(s) ACCC News and Alerts:
REACH distribution email list.
Reviewed to Ensure SLA Meets Business Requirements

Provisional SLA - Currently under IT Governance review.

Date Reviewed

Provisional SLA - Currently under IT Governance review.