You can integrate NJVID with your Enterprise Directory (Active Directory or LDAP) so that users can use their Institutional usernames (or UserIDs) and passwords to access NJVID resources.
The Shibboleth Identity Provider software (software is free and open-source) must be installed at the Institution and configured to use your Active Directory or LDAP for user authentication. 

When a user logs into NJVID and tries to access resources, the user is redirected back to the Institution's shibboleth user, where the user will have to enter their username and password. If the user enters the right credentials, then then the user is logged in NJVID and will be able to access resources that is made available to that user or the user's Institution. 

About Shibboleth

  • A free and open-source software provided by Internet2. 
  • This system is a Middleware project that is used for federated identity-based authentication.
  • The Shibboleth System is a standards based, open source software package for web single sign-on across or within organizational boundaries. 
  • It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.  
  • Shibboleth can be installed on a virtual machine as well and is not resource intensive. 
  • Learn more about Shibboleth! Visit  www.shibboleth.net 

 

Steps to integrate NJVID with your Enterprise directory (LDAP/AD)

  1. Install Shibboleth Identity Provider (see installation guides for Linux and Windows)
  2. Configure the Shibboleth Identity Provider to be added to our Federation. (see Section A below, "Add Information on adding NJTrust to your Identity Provider") 
  3. Configure the Shibboleth Identity Provider to release the required shibboleth attributes to our Service Provider (see section B "Required Shibboleth Attributes" and Section C: "Releasing attributes to NJVID")
  4. Once installed and configured, verify that your Shibboleth Identity Provider can communicate with our service provider by visiting www.njvid.net/dlr/shibinfo.php and then login using your userid/username. Send an email to support@njvid.net with the contents of the page if you want us to confirm that you are sending the right attributes.

Assistance for NJEDge members

If you need assistance with Shibboleth installation at your institution, please contact us at support@njvid.net  Our support team will guide and assist you in the set-up process.



Help Sections


A. Add information on NJTrust to your Identity Provider


Here is the declaration needed for an Identity Provider to use our metadata with Shibboleth 2. This allows your Identity Provider to work with services described in our metadata:


<metadata:MetadataProvider id="URLNJEDGE" xsi:type="metadata:FileBackedHTTPMetadataProvider"

backingFile="/opt/shibboleth-idp/metadata/njedge-fed-metadata.xml">

</metadata:MetadataProvider>



B. Required Shibboleth Attributes  

    We require the following two attributes to be released to our Shibboleth setup from your Identity Provider.
  1. eduPersonScopedAffiliation [example: student@institution.edu] The role 'member' MUST be assigned for all users that are active users in the learning community [i.e. faculty, students, staff] . Some institutions assign member@institution.edu as the role for all of their users. 
  2. eduPersonPrincipalName [usually the userID or netID, example: joe@institution.edu]. 


C. Releasing attributes to NJVID


You will also need to configure your IdP to release attributes to our federation. In your attribute-filter.xml add a PolicyRequirementRule:


<afp:AttributeFilterPolicy id="releaseEPPNtoNJEDGE">

<afp:AttributeRule attributeID="eduPersonPrincipalName">

<afp:PermitValueRule xsi:type="basic:ANY" />

</afp:AttributeRule>

<afp:AttributeRule attributeID="eduPersonAffiliation">

<afp:PermitValueRule xsi:type="basic:ANY" />

</afp:AttributeRule>

<afp:AttributeRule attributeID="eduPersonScopedAffiliation">

<afp:PermitValueRule xsi:type="basic:ANY" />

</afp:AttributeRule>

</afp:AttributeFilterPolicy>


Then make sure you restart your Java servlet.