Authenticating Your Duke Site

Duke supports electronic authorization to resources via Shibboleth, an open-source authorization provider created by Internet2, a community of academic, research, industrial, and governmental institutions.

This site contains resources for getting your site or service protected by Shibboleth.

Locally-Developed Sites/Services

Guidelines for protecting sites or services developed at or specifically for Duke.

Before you get started with installing/configuring Shibboleth, you need to able to modify files on your server. If this is not the case, consult with an administrator so that you can make changes.

Familiarize yourself with the vocabulary

The steps below outline the process of getting your site protected with shibboleth.

  1. Install the Shibboleth Service Provider (SP) software
  2. Configuration to protect your site
  3. Register your site with the Duke Identity Provider (IdP)
  4. Test authentication and authorization

It is now time to collect information from the Service Provider (SP) you just configured.

The below items are to be found under the Shibboleth directory on your application server

Windows default directory is: c:\opt\shibboleth-sp\etc\shibboleth

Linux default directory: /etc/shibboleth

  • EntityID: The EntityID in the shibboleth2.xml file.
  • Certificate: Find the sp-cert.pem file inside the shibboleth directory. When registering your Service Provider (SP), make sure you paste the text inside BEGIN CERTIFICATE - END CERTIFICATE into the certificate field.
  • Assertion Consumer Service URL (ACS): The assertion consumer url is usually the fully qualified domain name plus Shibboleth.sso/SAML2/POST for example: https://mysite.duke.edu/Shibboleth.sso/SAML2/POST
    Download the SAML tracer plugin if you are unsure what the Assertion Consumer Service URL is.
  • The default directory protected by Shibboleth is the /secure path on your server.
  • Using a web browser that is not already logged into Shibboleth, attempt to navigate to a part of your site that should be protected by Shibboleth. If everything was configured correctly, you should see a redirect to a login page that begins with https://shib.oit.duke.edu
  • You can now make configuration changes to protect a certain path within your server. Take a look at our attributes and authorization document to make such changes.
  • If you encountered an error, take a look at our common errors page.
  • Take a look at the Shibboleth Documentation for further reference.

Vendor Sites/Services

Guidelines for protecting sites or services offered by vendors.

  • Make sure the vendor completes the Vendor risk assessment. This is important since this will inform us what the vendor supports and if it meets the requirements for integrating with Duke. Visit the Duke Security website if you have questions in regards to choosing a vendor.
  • It is advisable that you familiarize yourself with the vocabulary. Familiarizing with the vocabulary will help connect the dots if problems arise at any time during the integration.
  • Check the following list to see if your vendor is part of InCommon: InCommon participants
  • If your vendor is an InCommon participant, please submit a Shibboleth integration support request with the vendor's EntityID and any attributes the vendor needs to be provided about users upon login.
  • If the above does not apply to your vendor, move on to the Getting Started section.

Provide your vendor contact with the following:

  • The Duke metadata is important since it contains information that identify the Identity Provider (Duke). Your Service Provider (vendor) will use this information to redirect users to the Duke Shibboleth NetID login page.
    The certificate in the Duke metadata is used to sign the responses and assertions produced by the Identity Provider (IdP).
  • Give your vendor the Metadata Signing Certificate. This certificate is used to sign the Identity Provider's (IdP) Metadata.
  • Occasionally, vendors require a SHA256 signing certificate.

It is time to collect information that will be used in the Register Service Provider (SP) section below.

For reference, take a look at our vocabulary document.

You will need the following items to register the Service Provider (SP) with the Duke Identity Provider (IdP) in the next step.

  1. EntityID
  2. Certificate used for encryption
  3. Assertion Consumer Service URL (ACS)
  4. Attributes the Service Provider (SP) will need

Usually you would find the above items in the vendor's ( Service Provider (SP) ) metadata.

  • Using a web browser (private/incognito window) that is not already logged into Shibboleth, attempt to navigate to a part of your site that should be protected by Shibboleth.
  • You should be prompted with the Duke Shibboleth NetID login page. If you see an error stating that the Identity Provider (IdP) does not recognize your Service Provider (SP), make sure you registered the correct EntityID during registration.
  • If you authenticated successfully with your NetID and password but received an error afterwards, contact your vendor for help with the issue. You can submit a help request if the vendor requires custom changes for their Service Provider (SP).