Overview
The University uses identity providers (IdPs) to authenticate users and allow access to applications such as Canvas, Zoom, and other enterprise systems. Historically, this role has been fulfilled by Shibboleth, an on-premises identity provider widely used in higher education. More recently, the University has begun transitioning services to Microsoft Entra ID, a cloud-based identity platform run through our Microsoft Tenant.
Both systems perform the same function; they verify a user’s identity and communicate that authentication to an application.
This article explains what Shibboleth and Entra ID are, how they differ, and what is involved in integrating and migrating services to Entra ID
What is Shibboleth
Shibboleth is an open-source identity provider designed primarily for academic and research institutions. It operates on-premises and integrates directly with the University’s Active Directory environment to authenticate users.
How it Works
- User attempts to access an application (Service Provider)
- SP sends a SAML request to Shibboleth
- Shibboleth:
- Authenticates user (typically via Active Directory)
- Pulls user attributes (email, affiliation, groups, etc.)
- Sends back a SAML assertion confirming identity
In addition to confirming identity, Shibboleth can provide additional user information, such as name, email address, and group membership. This information is included in the authentication response and is referred to as attribute release. These attributes allow the application to determine what the user is allowed to access.
One of Shibboleth’s defining features is its flexibility. Administrators can customize how identities are represented, how attributes are released, and how integrations are configured.
Shibboleth is declining as a long-term solution due to maintenance complexity and limited alignment with modern cloud identity systems. Many universities are already migrating to Microsoft Entra ID for better security, scalability, and integration.
What is Microsoft Entra ID
Microsoft Entra ID is a cloud-based identity and access management platform that serves the same fundamental purpose as Shibboleth but operates within Microsoft’s Azure ecosystem.
Instead of running on local infrastructure, Entra ID is hosted in Microsoft’s cloud and connects to Azure Active Directory. User data from on-premises Active Directory is synchronized to Azure AD, though only a subset of attributes is typically included in this sync.
How it Works
- Similar role to Shibboleth (IdP), but:
- Runs in Microsoft Azure cloud
- Uses both:
- SAML 2.0
- OpenID Connect (OIDC) (modern standard)
In Entra ID, user information is passed to applications as claims, which serve the same purpose as attributes in Shibboleth. These claims typically include basic identity data such as name, email address, and group membership.
Key Differences Between Shibboleth and Entra ID
|
Category
|
Shibboleth
|
Entra
|
|
Architecture
|
On-prem
|
Cloud-based
|
|
Protocols
|
SAML 2.0 only
|
SAML + OIDC
|
|
Data source
|
Direct AD integration
|
Azure AD (via sync, limited attributes)
|
|
Attribute handling
|
Attribute release — very flexible
|
Claims — more structured, less flexible
|
|
Federation
|
Strong
|
Limited
|
|
Maintenance
|
- Manual metadata updates
- Complex cert rotation
|
- Easier cert rotation
- UI-based management
|
How do I learn more about my Duck ID?
To learn more about your Duck ID, please visit the Duck ID articles. If you would like to change your Duck ID Password, please look at the Change or Reset Your Duck ID Password article.
How do I report a single sign-on problem?
If you're having trouble signing into a service, it could be a problem either with your account or with the service itself.
To report a login problem or issue with your Duck ID, please contact the Technology Service Desk.