Single Sign-on

Shibboleth

Shibboleth is a system for federated authentication and authorization of web-based applications. If you want to use a web application set up for Shibboleth, the operator of this application (the so-called Service Provider, SP) will temporarily redirect you to us (a so-called Identity Provider, IdP). On a login page located at the University of Bremen, you log in with your user name and password, then you are automatically redirected to the web application of the service provider. On the basis of the transmitted user data, the service provider can now decide whether to grant you access to the web application provided by him.

Service providers and identity providers form so-called federations. The University of Bremen operates its own local federation and is also a member of the DFN-AAI Federation of the German Research Network. (The special advantage of this federative solution is that the operators of the IdPs and SPs do not have to conclude contracts or data protection agreements with each other, but only one agreement with the federation operator).

Shibboleth makes it possible to open applications that were originally only available locally to members of other institutions within a federation. This can be done globally ("all members of all other federation members have access") or selectively according to the attributes transmitted by the IdP ("all employees and students of the universities of Berlin and Stuttgart have access").

Data Transfer

If you register with a non-university service provider with Shibboleth, personal data will be transferred to them. Therefore you will be asked after login by the Identity Provider whether you agree with the transfer of this data. If you refuse to pass on your data, you will not be able to use the corresponding service.

Which data is passed on depends on several factors and cannot be shown in a simple table.  Service providers that are members of the Federation of the German Research Network or the eduGain Federation each receive different attribute sets. In addition, special rules can be configured for individual service providers. In order to achieve the greatest possible transparency, the data passed on (so-called attributes) are listed in detail on the website on which you must give your consent.

Attributes

The following table explains some of the attributes that may be transferred:

 

uidYour userid.
uidNumberThe internal numeric id of your account.
zfnPersIDThe internal numeric id of you.
eduPersonAffiliationYour status at the university. Possible values are faculty, employee, staff, member, student und affiliate.
eduPersonScopedAffiliationYour status at the University of Bremen and departments and organizations in and at the University of Bremen. Although this looks like email addresses, it has nothing to do with it.
eduPersonEntitlementEntitlements are additional attributes associated with your account or person. These are often used to store special access rights.
eduPersonPrincipalNameYour primary id at the university.
eduPersonUniqueIDThis attribute contains a pseudonym, automatically generated and globally unique identifier. It can be used by service providers, for example, to personalize the services offered, without the service provider being able to deduce your identity at the university.
samlSubjectIDsee eduPersonUniqueID
samlPairwiseIDThis attribute is similar to the samlSubjectID, but is individual for each service provider. This means that different service providers cannot link their users with each other even during a data comparison.

Further information about the eduPerson standard can be found at REFEDS.

Logout

A single logout is very difficult to realize for technical reasons - more information about this problem can be found here.

Therefore, you should not use Shibboleth-secured services from public terminals, such as CIP computers or Internet cafes. If for practical reasons it is not possible to avoid the use of a public terminal, you should delete your private data (and thus also the Shibboleth session key) in the browser after the session has ended.