This document describes the process of installing, configuring and deploying a Shibboleth 2.0 Service Provider, in the UC San Diego Shibboleth environment. The reader is expected to be a system administrator having most if not all of the following list of basic skills:

  • familiarity with the local operating system, including how to install software and manipulating system services
  • familiarity with the local web server
  • basic understanding of SSL and installation of certificates
  • basic understanding of XML documents

What is Shibboleth?

Shibboleth is a web-based Single Sign-On infrastructure. It is based on SAML, a standard for web authentication through SOAP. Shibboleth has been adopted by the University of California as the basis for federated Single Sign-On between campuses ( It has also been adopted by UC San Diego as the standard way to access web applications on campus.

Why should I use it?

Using Shibboleth has several security and operational benefits over going direct to one of the authentication mechanisms.

  • Your server never handles the passwords so anything that goes wrong can't compromise the credentials.
  • The Shibboleth service has additional account misuse and fraud detection capabilities that will bypassed by going direct.
  • The Shibboleth service has Logging infrastructure that meets campus requirements.
  • Future proof: with Shibboleth you aren't binding yourself to a specific mechanism of authentication; instead you are binding to a piece of middleware that allows you to pick from the many authentication mechanisms.
  • Integration with Roles, MyAffiliates, and other core identity management systems on campus.


Identity Provider (IdP)
This is the server that handles authentication of users. UCSD has deployed an IdP ( for the entire campus to use.
Service Provider (SP)
An IdP is pointless without Service Providers. Service Providers are web applications, resources, or other services which require authentication. The Shibboleth SP software allows most modern web servers (namely Apache and IIS) to integrate with an IdP or a number of IdPs. Many departments at UC San Diego have successfully deployed the SP software to integrate with UCSD's IdP.