Shibboleth at the University of Wuerzburg
Shibboleth for Users
What is shibboleth?
Shibboleth is a method for distributed authentication and authorization, which webapplications can use. This allows to only logon once and use various applications -within the university as well as within the federation.
How does shibboleth work?
Shibboleth calls an application a Service Provider (=SP). On first use of an application within a browser session you are redirected to the discovery service. There you can choose which institution you belong to (University of Wuerzburg). This will bring you to the Identity Provider of the University of Wuerzburg - WueLogin. Here you can login with the account given to you by the computer center. After successful login you are ready to use the application.
The next application within the same browser session recognizes that you are already logged in and leads you directly to the application.
The scope of shibboleth
Once you are logged in, you do not have to login again to use further applications which are organized within the same federation. This is called SingleSignOn. The University of Wuerzburg is a member of is the DFN-AAI-federation. DFN is the German National Research and Education Network (see www.dfn.de).All members signed a contract with the dfn which ensures the compliance with the rules of this federation. Further details regarding the DFN-AAI federation are here. A list of applications and identity providers within the DFN-AAI can be found at the linked sites.
Shibboleth enables an application for members of other participating institutions within the same ferderation. The provider of the application decides, which people are entitled to use the application - in compliance with licenses and legal aspects. These may for example include all students and/or all employees of the University of Wuerzburg.
Security and Protection of privacy
Transmission of personal data to other institutions is protected by the data privacy protection policy of the University of Wuerzburg. The shibboleth system enables to minimize the transmission of personal data. A service provider gets the following information from the identity provider of the university of wuerzburg. All of these do not include any personal information:
- unique identifier
- affiliation (student, employee or member)
- scoped affiliaiton (such as email@example.com)
- application specific entitlements
Individual applications may need further data. Before these are transmitted, the provider of the application, the identity provider and the data protection officer must agree on these data. Formal agreements must be made before these data can be transmitted. If you want to look at these written agreements, please contact the data protection officer.
All providers within the federation of the German National Research and Education Network have committed themselves to abide to data privacy protection policies.
Transmission of data happens right when you use the shibboleth-protected application. If you do not agree to the transmission of the above listed attributes, then do not use the application in question.
Your password is not being transmitted when you log in to shibboleth. Verification of your password happens exclusively on servers hosted within and controlled by the computer center of the university of Wuerzburg.
Shibboleth enables no SingleLogout right now. This means that you cannot logout from one application and automatically be logged out from all applications.
Your session expires after a predefined inactivity time.
When you use Shibboleth-secured applications from public places - such as an internet cafe - please follow these advices:
- before you leave, please delete the private data of your browser (including your shibboleth session key).For Firefox choose extras: delete private data: select all and select delete now. For Internet Explorer choose Extras: delete Browserverlauf löschen: delete all.
If you have any questions or suggestions regarding Shibboleth and SingleSignon at the University of Wuerzburg contact: firstname.lastname@example.org