icon-symbol-logout-darkest-grey

ServiceShibboleth Identity Provider

Authentication and authorization with Single Sign-On

The URZ operates a Shibboleth Identity Provider (IdP) which provides a secure Single Sign-On (SSO) service. By logging in to the Shibboleth provider with your Uni ID, you can use other services connected to Shibboleth without additional authentication.

The IdP is required to use the state services at Heidelberg University, e.g. bwForCluster (bwIDM). Heidelberg-specific services are also connected using Shibboleth, e.g. heiBOX.

Target group

  • University employees
  • Students
  • Instructors
  • University members

Use

  • Single Sign-On (SSO) enables the use of multiple websites and services with a single log-in.
  • Use of many (scientific­) services via the central ID of your home university. The IdP can transmit the required information to these services.

Access and requirements

For users

When logging in to a Shibboleth-protected service, the user will be redirected to the IdP page of their home institution. On this page, the validity of your user ID and password will be verified. The service then only receives the data required for authorization, usually just a service-specific pseudonym (targeted ID), which the service can use to identify the user with their profile - your password is never shared.

For IT services / IT staff members

If you would like to use the URZ's Shibboleth Identity Provider for your IT service, you can make a request using the linked form.

Technical information

In addition to pseudonyms, this service can use the following data transmitted to it for authorization purposes:

  • Affiliation to the university (affiliation: student, faculty, staff, member, affiliate, ...)
  • Concretely specified strings for further entitlements.

If necessary, further person-related attributes can be requested, but these will only be added after the user has given their consent.

The University Library has long been using Shibboleth to provide online services for some publishers. For these services, it is also possible to log in with a HEIDI ID (only digits, 8-digit, e.g. 00123456).

Frequently Asked Questions

Table

QuestionAnswer
QuestionAnswer
What information (or attributes) are delivered to a service provider by Shibboleth-IdP? 

A transmission of the listed attributes and their data only takes place if the service provider requests them and the user has consented to the transmission.

1. Statistical attributes
The attributes described here are always identical and are not person-dependent:

  • bwidmorgid: Unique abbreviation within the bwidm Federations / hd
  • o : Organization / uni-heidelberg.de

2. Personal attributes
The available attributes are retrieved from the Identity Management:

  • displayName: usually a combination of the first and last names (givenname sn), e.g. John Doe
  • eduPersonAffiliation: institution affiliation
  • eduPersonEntitlement: service-specific authorization.
  • eduPersonPrincipalName: the username uniquely assigned from the userID and the scope, i.e. uni-id[at]uni-heidelberg.de"
  • eduPersonScopedAffiliation: institution affliation
  • eduPersonTargetedID: an older version of the persistentID (not shown in the overview of the data to be transmitted*)
  • eduPersonUniqueId: a hashed value derived from the userID e.g."nqw3uinq234nfr[at]uni-heidelberg.de"
  • givenName: first name, e.g. John
  • mail: the email address associated with the user; if the user has been assigned more than one address, the default sender. address is used, e.g. doe[at]uni-heidelberg.de
  • persistentID: an identifier that is generated uniquely for each service provider; unlike the transientID, this identifier is also retained between sessions (not displayed in the overview of the data to be transmitted*).
  • sn: also known as surname: usually the family name, e.g. Doe
  • transientID: a short-term identifier, which is generated for each service provider individually for each session (not shown in the overview of the data to be transmitted*)
  • uid: the username assigned to the user, i.e. the Uni ID, e.g. ab123
Which university affiliations are used by Shibboleth?

Shibboleth uses the following university affiliations:

Affiliation / Scoped Affiliation

  • employee / employees of Heidelberg University
  • student / students of Heidelberg University
  • faculty /academic staff, primarily working as instructors
  • staff / non-academic staff, administrative or technical employees
  • member / member or associate of the University – users with faculty, staff, student, employee affiliations automatically receive this attribute
  • affiliate / other affiliation with the University
  • library-walk-in / user at the University Library (UB) that is visiting on of the library buildings
  • alumni / former members of the University - not used in Heidelberg!

The values listed above can also be assigned a “scope” (e.g. "member[at]uni-heidelberg.de"). They can also be used without a scope (e.g. "member").

What are the possible values for the entitlements?

The entitlements can be routed using two different notations:

  • 1. URN notation, e.g. "urn:de:abc:xyz_dad:11312-2313:". The values that are notated in this way are registered centrally and are therefore globally unique.
  • 2. URL notation, e.g.

    http://example.de/entitlement/access

    URLs noted in this way do not have to be “working” web pages.

1. URN-type entitlements

  • urn:geant:dfn.de:uni-heidelberg.de:entitlement:heibox
    Authorization for the use of the service:

    https://www.urz.uni-heidelberg.de/de/heibox


    You are required to have the status of an employee or doctoral candidate.
  • urn:geant:dfn.de:uni-heidelberg.de:entitlement:ub_uni_ma
    Employees of the Medical Faculty MA
  • urn:geant:dfn.de:uni-heidelberg.de:entitlement:ub_uni_ub
    Employees of the UB HD
  • urn:geant:dfn.de:uni-heidelberg.de:entitlement:ub_tan
    UB user group using TAN procedures for interlibrary loan
  • urn:mace:dir:entitlement:common-lib-terms
    Admission to services that require a license subject to the standard terms and conditions for license agreements
  • urn:mace:ub.uni-freiburg.de:entitlement:unihd:redi:ma
    Access to certain services from

    https://www-fr.redi-bw.de/

2. URL-type entitlements

  • http://bwidm.de/entitlement/bwForCluster


    Authorization for use of the service:

    https://www.urz.uni-heidelberg.de/de/bwforcluster

  • http://bwidm.de/entitlement/bwLSDF-SyncShare


    Authorization for use of the service:

    https://www.alwr-bw.de/kooperationen/bwsync-share/


    For users of Heidelberg University, entitlement is automatically granted as long as the member affiliation is fulfilled.
  • http://bwidm.de/entitlement/bwLSDF-FileService


    Authorization for use of the service:

    https://www.bwhpc-c5.de/wiki/index.php/BwFileStorage

  • http://bwidm.de/entitlement/bwUniCluster


    Authorization for use of the service:

    https://www.urz.uni-heidelberg.de/de/bwunicluster

  • http://bwidm.de/entitlement/sds-hd-sv


    Authorization to request a new storage data storage project as part of the service:

    https://www.urz.uni-heidelberg.de/de/sds-hd


    You are required to have the status of employee.
  • http://bwidm.de/entitlement/sds-hd-user


    Authorization to use a data storage project in

    https://www.urz.uni-heidelberg.de/de/sds-hd