NON-InCommon Setup

Provide your Identity Provider (IdP) metadata via a link or XML file
Please email the XML file or a link to the file to implementations@portfolium.com

Add our Service Provider (SP) metadata file to your Shibboleth configuration
You can find our metadata file here: https://portfolium.com/sso/metadata

Request time to work with the implementations team to test
Please email implementations@portfolium.com to set a meeting with your implementation lead and a Portfolium engineer to ensure everything was correctly configured.

Current InCommon Participants  

InCommon Federation: Participant Operational Practices

Portfolium Shibboleth Information

What information does Portfolium retrieve from a Shibboleth Identity Provider?
Portfolium retrieves and uses the following attributes:

  • eduPersonPrincipalName: Commonly a user's school email
  • eduPersonAffiliation or roles: Type of user; student, faculty, alumni
  • givenName, FirstName, or firstname: User's first name
  • sn, LastName, or lastname: User's last name
  • email or Mail: User's email (optional if eduPersonPrincipalName isn't the unique email)
  • uid, username, employeeNumber, EmployeeNumber: User's unique user identifier

What does Portfolium do with the information it retrieves?
Portfolium authenticates existing user accounts and creates new ones if one does not exist for the provided eduPersonPrincipalName (EPPN).

Is the connection between the Identity Providers and Portfolium secure?
Yes, all information transmitted from the Identity Providers and Portfolium is secure over SSL.

How does Portfolium use the eduPersonPrincipalName (EPPN) if my school does not use the EPPN as a unique email?
When the eduPersonPrincipalName (EPPN) is not a valid email (rather a unique ID), the mail attribute can be used in addition to the EPPN to send a unique identifier along with the user's email.

We then link the unique ID from the EPPN as a "spoke" to the core Portfolium Identity. This allows us to have a link to the Portfolium Identity for future lookups even if the user changes their email or name.

What does Portfolium use the eduPersonAffiliation for?
Portfolium is utilized by students, alumni, and educators at each of its partner universities. The smart onboarding experience is customized depending on whether or not the user is a student, alumni, or faculty.

Therefore, the eduPersonAffiliation is used to categorize the user in the system as one of the above.

How does my IT team configure Shibboleth for Portfolium?
You'll need your IT team to update your attribute-filter.xml file with the following configuration...

 These are just guidelines, and not an exact guide. As example, sometimes the the afp: prefix will cause an error.

<afp:AttributeFilterPolicy id="portfolium.filter">

  <afp:PolicyRequirementRule xsi:type="basic:OR">
   <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://portfolium.com/shibboleth" />
   <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://qa.portfolium.com/shibboleth" />
  </afp:PolicyRequirementRule>

  <afp:AttributeRule attributeID="transientId">
   <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>

  <afp:AttributeRule attributeID="eduPersonPrincipalName">
   <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>

  <afp:AttributeRule attributeID="eduPersonAffiliation">
   <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>

  <afp:AttributeRule attributeID="givenName">
   <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>

  <afp:AttributeRule attributeID="sn">
   <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="mail">
   <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>

</afp:AttributeFilterPolicy>

Also, depending on how the default relying party on your idP is set up, you may need a relying party entry:

<RelyingParty
 
id="https://portfolium.com/shibboleth"
 provider="YOUR_ENTITY_ID_HERE"
 defaultSigningCredentialRef="IdPCredential">
 <ProfileConfiguration
   xsi:type="saml:SAML2SSOProfile"
   encryptAssertions="conditional"
   encryptNameIds="conditional">
 </ProfileConfiguration>
</RelyingParty>
<RelyingParty
 
id="https://qa.portfolium.com/shibboleth"
 provider="YOUR_ENTITY_ID_HERE"
 defaultSigningCredentialRef="IdPCredential">
 <ProfileConfiguration
   xsi:type="saml:SAML2SSOProfile"
   encryptAssertions="conditional"
   encryptNameIds="conditional">
 </ProfileConfiguration>
</RelyingParty>

  • Remember to replace YOUR_ENTITY_ID_HERE with your actual entityID.
Did this answer your question?