Shibboleth is a federated identity framework that allows applications to connect to various authentication services on the Internet, including UIC's Bluestem. Shibboleth Identity Provider is centrally maintained to provide SAML compliant authentication services. These services limit reuse and exposure to user credentials by multiple services.
Shibboleth can be used to allow access to your application to any Organization on the Internet that supports SAML. Conversely, it can also be used to allow UIC users access to third-party applications that support SAML using their UIC credentials.
If a user is capable of running their own Web server (i.e. physically secure room, maintain security patches, manage user accounts, run backups, install and troubleshoot software, keep, and inspect logs, or use an ACCC Virtual Machine), they can make their web server into a Shibboleth Client application server or Bluestem Client. This will allow the user’s web scripts to authenticate users, using their normal UIC NetID and password, in a very secure manner.
When one uses an online service, there are two primary actions associated with access:
- Authentication verifies who you are and is the act of ensuring that the person with the credential (login id for example) is the same person that the organization has on file as having permission to use that credential. The verification is done using a password or some other mechanism.
- Authorization is about what you can do and is the act of granting access to the authenticated individual based on role, organizational affiliation, and the like.
If a cloud service requires authentication to UIC Active Directory, a UIC employee needs to request shibboleth integration to authenticate UIC users and grant access. It is preferred that the third-party application be registered with the InCommon Federation to prevent disruptions when changes occur with the identity provider information.
Service Level Agreement
|Service Request Fulfillment Time||2-4 business days.|
|Incident Resolution Time||2-4 business days.|
|Maintenance Window(s)||Approved ACCC maintenance window(s)|
|Service Notification Channel(s)||ACCC Service Notices, REACH distribution email list|
|Reviewed to Ensure SLA Meets Business Requirements||Provisional SLA - Currently under IT Governance review.|
|Date Reviewed||Provisional SLA - Currently under IT Governance review.|
|Service Owner: Ed Zawacki|