Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Table of Contents

Information about Web Application Access

All public Shibboleth project services (website, download site, wiki, svn, git, issue tracking, and maven repository at the time of this writing) may be accessed anonymously in a read-only capacity.

The Shibboleth wiki and issue tracking system are SAML-enabled and users wishing to post, comment on, or be informed of changes to data will need to log in via an acceptable IdP. The IdP must release:

  • eduPersonTargetedID or eduPersonPrincipalName which will be used as the unique, service internal a required unique identifier for the user (note that this also includes a SAML 2.0-compliant "persistent" name identifiersee below)
  • displayName if the user wishes to have a human-readable name suitable for display or search
  • mail if the user wishes to receive notifications (e.g., changes in issue status or updates to wiki pages) via email


Note that users may modify their profile name or email address, but it will be reset to an IdP-supplied value each time they login.

The preferred identifiers supported include the legacy eduPersonPrincipalName attribute and the newly-proposed SAML subject-id attribute. The latter is ideal if a name and email address are included, while EPPN is best if provided by itself because of the strong need to publically identify contributors in these collaborative tools.

If use of a public identifier is a problem due to privacy restrictions, we recommend use of the newly-proposed SAML pairwise-id attribute.

For historical reasons, we do support the legacy pairwise identifiers that fall under the eduPersonTargetedID and SAML persistent NameID headings, but they are strongly discouraged.

The precise set of SAML 1.1 attributes supported is:

  • urn:mace:dir:attribute-def:eduPersonPrincipalName (preferred)
  • urn:oasis:names:tc:SAML:attribute:subject-id (SAML Subject ID, new proposed standard, preferred)
  • urn:oasis:names:tc:SAML:attribute:pairwise-id (SAML Pairwise ID, new proposed standard, discouraged)
  • urn:oid: (targetedID as SAML attribute, strongly discouraged)
  • urn:mace:dir:attribute-def:displayName (preferred)
  • urn:mace:dir:attribute-def:cn
  • urn:mace:dir:attribute-def:mail


  • urn:oid: (EPPN, preferred)
  • urn:oasis:names:tc:SAML:attribute:subject-id (SAML Subject ID, new proposed standard, preferred)
  • urn:oasis:names:tc:SAML:attribute:pairwise-id (SAML Pairwise ID, new proposed standard, discouraged)
  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent (targetedID as NameID, strongly discouraged)
  • urn:oid: (targetedID as SAML attribute, strongly discouraged)
  • urn:oid:2.16.840.1.113730.3.1.241 (displayName, preferred)
  • urn:oid: (cn)
  • urn:oid:0.9.2342.19200300.100.1.3 (mail)

Wiki Service Information

The wiki ( provides the currently available documentation for all the Shibboleth projects as well as information about the project plans and management.


Per the terms of the CC BY-SA 3.0 license, the content of this wiki may be used by others, without seeking permission of the author, as long as this wiki is attribute as the source of the material and any resulting work is licensed under the CC BY-SA 3.0 license or a similar license. Attribution are best performed by providing a URL to the wiki page(s) containing the source material.

Issue Tracking Service Information

The issue tracking service ( provides a place to view and track bugs, tasks, and feature/improvement requests for the Shibboleth software.


All code/patches submitted to the issue tracking service are licensed under the Apache License, version 2 and contributed to the Shibboleth project per the terms set out in the Internet2 Intellectual Property Framework.

Discovery Service Information

The wiki and issue tracking services share a local discovery service listing all the identity providers which potentially work with them, based on the trust relationhsips we have established via federations. Not all of the listed identity providers will release the requisite information for these services and so users may encounter a notification page informing them of this.