Shibboleth/SAML Integration

Shibboleth is a federated identity Provider or "IdP", that supports SAML 2.0 authentication and participates in the InCommon Federation. Client applications that use Shibboleth are known as "Service Providers" or "SPs". If an SP supports single sign-on using SAML 2.0, a Columbia school or department can use Shibboleth for authentication and authorization to that SP.

The Shibboleth authentication service is offered to central business units and departments at Columbia. It is available for administrative and academic applications that require authentication to perform university business. Configuring an SP to use the Columbia IdP can be a complex process—there is often some discussion and debugging required in order to enable a new SP. This process is greatly simplified if the SP is a member of the InCommon Federation.

CUIT’s Shibboleth IdP is used by approximately 50 applications including CUIT and CUIMC ServiceNow, SABA Cloud, Equifax Employment Verification, Paperless Employee "My W2", Blackboard Transact, and Salesforce Inc.

The Shibboleth IdP can be configured to release a specific selection of user attributes to a given SP. However CUIT uses the standard set of attributes recommended by InCommon. Please note that these attributes are available only for users who have Columbia UNI.

  • eduPersonPrincipalName (EPPN): A unique identifier for a user. Has the form [email protected] Application managers and developers are encouraged to use EPPN instead of UNI or mail as a user's unique identifier.
  • eduPersonScopedAffiliation: One or more of the following values: "faculty", "staff", "student", "affiliate", and "member".
  • sn: Surname, last name.
  • givenName: first name.
  • mail: email address.
  • displayName: A single string value containing the name to be used for display purposes.

In addition to these standard InCommon attributes, SPs can also request the release of other attributes available within CUIT LDAP. Please note that approval is subject to verified business need, and there may be delays in approval and setup if an attribute has not been previously released to other applications.