Translated with DeepL.com

  • Shibboleth Identity Provider

  • The Shibboleth Identity Provider provides authentication and authorization with single sign on of users for participating service providers.

General

The Shibboleth Identity Provider allows to authenticate KIT users to institutions outside and inside KIT without having to transfer sensitive data to these institutions. The user is forwarded from a service provider to the identity provider and can authenticate himself there. If authentication is successful, the user is returned to the service provider, which is informed that authentication was successful.
In addition, it is possible to transmit further attributes of the user to the service provider. These transmitted attributes are listed in the following service variants.

Meaning of the attributes

Most of the attributes, such as first name, last name and KIT login are self-explanatory.

  • transientId: A transient Id is used to re-authenticate a session with different service providers. This id is created each time the session expires after 30 minutes of inactivity at the identity provider.
  • persistentId: A persistent id is created for a specific service provider, stored and retransmitted each time the user authenticates with that service provider. This makes it possible to recognize a user without knowing any additional data. This attribute cannot be transmitted together with a transientId.
  • affiliation: In the affiliation the position in the KIT is transmitted. Each member has the affiliation "member". Students additionally have the affiliation "student" and employees "employee". Many service providers use this attribute to decide on access authorizations.
  • entitlement: An entitlement is a license status of the libraries. Thus, the value "common-lib-terms" is usually transmitted.


When attributes are assigned

The transmitted attributes are transmitted from the identity management system (IDM) to Shibboleth. In this process, the data, except for the KIT login and the email address, is supplied to the SCC by the administration. The SCC cannot make any changes to the data. It should be noted that the affiliation and entitlement attributes for employees depend on the contract status. Thus, it is possible that the KIT account still works with login, but the attribute "employee" is no longer set if the employment contract has expired.