Shibboleth

Single Sign On (SSO) for your university and Portfolium

What is Shibboleth?

Shibboleth is an open-source project that provides Single Sign-On capabilities and allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner. Portfolium uses Shibboleth as a participating service provider in the InCommon Federation.

Current InCommon Participants
InCommon Federation: Participant Operational Practices

Portfolium Shibboleth FAQ

What information does Portfolium retrieve from a Shibboleth Identity Provider?

Portfolium retrieves and uses the following attributes:

  • eduPersonPrincipalName: Commonly a user's school email
  • eduPersonAffiliation: Type of user; student, faculty, alumni
  • givenName: User's first name
  • sn: User's last name
  • mail: User's email

What does Portfolium do with the information it retrieves?

Portfolium authenticates existing user accounts and creates new ones if one does not exist for the provided eduPersonPrincipalName (EPPN).

Is the connection between the Identity Providers and Portfolium secure?

Yes, all information transmitted from the Identity Providers and Portfolium is secure over SSL.

How does Portfolium use the eduPersonPrincipalName (EPPN) if my school does not use the EPPN as a unique email?

When the eduPersonPrincipalName (EPPN) is not a valid email (rather a unique ID), the mail attribute can be used in addition to the EPPN to send a unique identifier along with the user's email.

We then link the unique ID from the EPPN as a "spoke" to the core Portfolium Identity. This allows us to have a link to the Portfolium Identity for future lookups even if the user changes their email or name.

What does Portfolium use the eduPersonAffiliation for?

Portfolium is utilized by students, alumni, and educators at each of its partner universities. The smart onboarding experience is customized depending on whether or not the user is a student, alumni, or faculty.

Therefore, the eduPersonAffiliation is used to categorize the user in the system as one of the above.

How does my IT team configure Shibboleth for Portfolium?

You'll need your IT team to update your attribute-filter.xml file with the following configuration...

Note: These are just guidelines, and not an exact guide. As example, sometimes the the afp: prefix will cause an error.

    <!-- Release to Portfolium -->
    <afp:AttributeFilterPolicy id="portfolium.filter">

        <afp:PolicyRequirementRule xsi:type="basic:OR">
            <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://portfolium.com/shibboleth" />
            <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://qa.portfolium.com/shibboleth" />
        </afp:PolicyRequirementRule>

        <afp:AttributeRule attributeID="transientId">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>

        <afp:AttributeRule attributeID="eduPersonPrincipalName">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>

        <afp:AttributeRule attributeID="eduPersonAffiliation">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>

        <afp:AttributeRule attributeID="givenName">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>

        <afp:AttributeRule attributeID="sn">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>

        <afp:AttributeRule attributeID="mail">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>

    </afp:AttributeFilterPolicy>
                    
Also, depending on how the default relying party on your idP is set up, you may need a relying party entry:
    <RelyingParty
        id="https://portfolium.com/shibboleth"
        provider="YOUR_ENTITY_ID_HERE"
        defaultSigningCredentialRef="IdPCredential">
        <ProfileConfiguration
            xsi:type="saml:SAML2SSOProfile"
            encryptAssertions="conditional"
            encryptNameIds="conditional">
        </ProfileConfiguration>
    </RelyingParty>
    <RelyingParty
        id="https://qa.portfolium.com/shibboleth"
        provider="YOUR_ENTITY_ID_HERE"
        defaultSigningCredentialRef="IdPCredential">
        <ProfileConfiguration
            xsi:type="saml:SAML2SSOProfile"
            encryptAssertions="conditional"
            encryptNameIds="conditional">
        </ProfileConfiguration>
    </RelyingParty>
                        
* Remember to replace YOUR_ENTITY_ID_HERE with your actual entityID.