External Federation


In order for a Single Sign-On (SSO) service to work the Identity Provider (IdP) that you authenticate against needs to send information about you to the web service (also known as a Service Provider [SP]) that you are trying to access. This information is called an assertion. At this time all of the SPs that are connected to the Fermilab SSO service are using the Security Assertion Markup Language (SAML) to communicate with.

SAML is an XML-based markup language for security assertions - statements that service providers can use to make access-control decisions. In our SSO service the IdP performs the authentication. The SP must perform any authorization necessary.

The Fermilab SSO has a standard set of attributes that are released to the SP after a successful authentication. These attributes are retrieved from the SERVICES LDAP Domain:

    • mail - email address
    • sAMAccountName - FNAL username
    • eduPersonPrincipalName - FNAL usersname with the domain added (username@fnal.gov)
    • givenName - the first name assoicated with the FNAL username
    • sn - the last name or family name assoicated with the FNAL username
    • memberOf - the distinguishedNames of all SERVICES groups that the FNAL username is part of

When the assertion gets to the SP the web server will interpret the values and generally make them available in enviroment variables for the application to use. On a Shibboleth SP this information will look like this:

    • SHIB_EMAIL   -   USERNAME@fnal.gov
    • SHIB_EPPN   -   USERNAME@fnal.gov
    • SHIB_NAME_FIRST   -   FirstName
    • SHIB_NAME_LAST   -   LastName
    • SHIB_FNAL_GROUPS   -   CN=Group1...;CN=Group2...;CN=Group3...

A mod_mellon based SP (like Central Web Services) will display the same information with different environmental variable names (SSO_EMAIL, SSO_USERID, SSO_EPPN, SSO_NAME_FIRST, SSO_NAME_LAST, SSO_FNAL_GROUPS).

External Federation

With external federation (where the user authentication takes place at a non-Fermilab IdP) the same attributes will be sent. There is information in those attributes that can be used to prevent access to your site/application

The environment variables would look something like this example using the DOE OneID IdP:

    • SHIB_EMAIL   -   username@somedomain
    • SHIB_USERID   -   LastName.IDNUMBER
    • SHIB_NAME_FIRST   -   FirstName
    • SHIB_NAME_LAST   -   LastName
    • SHIB_FNAL_GROUPS   -   CN=DOEOneID-Users,OU=ExternalFederationGroups,OU=FermiGroups,DC=services,DC=fnal,DC=gov;CN=External-Federation-Users,OU=FermiGroups,DC=services,DC=fnal,DC=gov

External federation assertions are based on the data from the external IdP. Email, eduPersonPrincipalName, First Name, and Last Name are sourced from the external IdP. Default group memberships are based on the external IdP as well. Each external IdP will have a group dedicated to it. All external users will also be a member of the External-Federation-Users group.

Note that the eduPersonPrincipalName has a different domain associated with it. Either group membership or eduPersonPrincipalName could be used to include/exclude a user or an organization from a web service using .htaccess files. For more information pleaes see KB0014129.


If you want to see what information is sent to SPs for your account (Fermilab or registered IdP) visit this page.