Understanding Shibboleth for Authentication and Authorization


Shibboleth is a behind-the-scenes mechanism that allows you to access secure sites at other institutions, organizations, and agencies by using your University Computing Account username and password.

Shibboleth is a two-part process: you authenticate through a University of Pittsburgh login, and then the requested institution determines it will authorize your access based on the attributes provided.

It is also a single sign-on process. After you have been authenticated to one site within a federation, you can visit other sites for which you are authorized within that federation without having to authenticate again. This lasts until you close your session (browser) or the session expires, typically in 24 hours.

A few other things you should know:

  • Many institutions, organizations, and agencies support Shibboleth.
  • The key to gaining access to a Shibboleth-supported site is obtaining a website address (URL).
  • You are responsible for following the University of Pittsburgh's policies and procedures, as well as those of the remote site. Ideally, each site will clearly post these; if not, you may need to locate them, possibly by contacting a colleague at that institution.
  • Contact the Technology Help Desk if there are sites you want to access but cannot. Your active participation is critical to making Shibboleth a success at Pitt!




Attributes are bits of information about you. This information either comes from the University's Central Directory System or is derived from this information. Typically, the attributes transmitted to an external website will be information such as your full name and your University affiliation (e.g., student, faculty, or staff).

In most cases this information is already available through the Find People webpage. No unnecessary information will be disclosed to the external website. Any site that requires non-public attributes must have the approval of the data owner and the University's Information Security Officer before it can be released.

Attributes are used by the service provider (i.e., the operators of the external website you want to access) to determine authorization. Essentially they use this information to determine if you should be able to log in and, if so, what information you should have access to view.

See the Shibboleth Attribute Release Statement for more information.



A federation can be made up of institutions, organizations, and governmental agencies that have developed a trust relationship. This allows the identity provider (the institution whose users are requesting access to external resources) and the service provider (the organization granting others access to its resources) to securely collaborate and share information. On the Access Resources from External Institutions page, the University of Pittsburgh is the identity provider and the institution being accessed is the service provider. Each institution uses its own authentication method.

The University of Pittsburgh belongs to the InCommon Federation. In most cases, University of Pittsburgh users will be able to log in to any Shibboleth-enabled service provided by an institution that is a member of the InCommon Federation.


You Can Be a Service Provider, Too!

You have seen how Shibboleth allows you to access resources at external institutions. You should also know that you can use it to allow authorized individuals outside the Pitt community to access selected resources here.

Contact the Technology Help Desk if you would like to sponsor a Shibboleth site that allows authorized individuals from other institutions to access Pitt resources. Every University of Pittsburgh Shibboleth site must have a sponsor.

After you have set up your site, send the website address (URL) to those individuals whom you have granted access. You can include University of Pittsburgh faculty, staff, and student members as well.


Request Access to an External Institution

If you would like access resources at an external institution's website but are not currently able to do so, contact the Technology Help Desk with your request.

Letting the Help Desk know about locations you would like to access is critical to getting the most out of Shibboleth and the University's membership in the InCommon Federation.


Logging Out After Using Shibboleth

When you complete your work with Shibboleth, you need to log out of your session. Because there is no log out button, you will need to close all windows of your web browser to ensure that you have de-authenticated from all sensitive resources.


Related Information


Additional Resources



Article ID: 102
Wed 7/19/23 11:49 AM
Tue 2/13/24 1:22 PM