Single Sign On

What Is It?

Single Sign On (SSO) is an authentication method that allows users to log in with a single ID and password to any of several related, yet independent, software systems. Technology Solutions' SSO options are Bluestem and Shibboleth.



Bluestem is the primary single sign-on authentication method supported at UIC. Only UIC users can authenticate via Bluestem.

Technology Solutions provides Bluestem protection for websites hosted with and Web servers for protecting files, PHP programs, and CGI scripts. However, you may have data that requires extra-special protection (e.g. financial or medical), or you may want to run a Web application (e.g. database) or write in a language for which these main servers are not adequate.

Shibboleth Framework

Shibboleth is a federated identity framework that allows applications to connect to various authentication services on the Internet, including UIC's Bluestem. Shibboleth Identity Provider is centrally maintained to provide SAML compliant authentication services. These services limit reuse and exposure to user credentials by multiple services.

Shibboleth can be used to allow access to your application to any Organization on the Internet that supports SAML. Conversely, it can also be used to allow UIC users access to third-party applications that support SAML using their UIC credentials.


If a user is capable of running their own Web server (i.e. physically secure room, maintain security patches, manage user accounts, run backups, install and troubleshoot software, keep, and inspect logs, or use a Technology Solutions’ Virtual Machine), they can make their web server into a Shibboleth Client application server or Bluestem Client. This will allow the user’s web scripts to authenticate users, using their normal UIC NetID and password, in a very secure manner.

Bluestem on people and webhost

  • Requires the creation of an allowed.NetID file in the directory you want to protect.

Bluestem on a custom server

  • You must run an SSL-capable web server. Apache and IIS are fine. And, of course, the webserver must be configured to run CGI scripts.
  • You must obtain an SSL certificate.
  • You must be able to maintain your server, providing all the functions that a good system administrator would provide.

Shibboleth Requirements

When one uses an online service, there are two primary actions associated with access:

  1. Authentication verifies who you are and is the act of ensuring that the person with the credential (login id for example) is the same person that the organization has on file as having permission to use that credential. The verification is done using a password or some other mechanism.
  2. Authorization is about what you can do and is the act of granting access to the authenticated individual based on role, organizational affiliation, and the like.

If a cloud service requires authentication to UIC Active Directory, a UIC employee needs to request shibboleth integration to authenticate UIC users and grant access. It is preferred that the third-party application be registered with the InCommon Federation to prevent disruptions when changes occur with the identity provider information.

Shibboleth, A Project of the Internet2 Middleware Initiative

Who Is Eligible To Use It?

  • Faculty
  • Students
  • Staff

Where Can I Get It?

For Bluestem, select the Request Bluestem button located on this page.

How do I request Shibboleth (SAML) integration?

How Do I Use It?

Learn how to restrict access to websites using Bluestem at UIC.

How is Shibboleth used at UIC?

How Much Does It Cost?

Bluestem: Basic Bundle

Shibboleth: This service is funded by the University; there are no direct costs to clients.

How Can I Get Support?

If you are experiencing a problem with this service, please report it. If you just have a question, feel free to ask us.

Service Levels

Service Request Fulfillment Time
2-4 business days
Incident Resolution Time
2-4 business days
Service Availability
Maintenance Window(s)
Approved Technology Solutions maintenance window(s)
Service Notification Channel(s) Technology Solutions Service Notices, REACH distribution email list
Request Single Sign On


Service ID: 453
Mon 12/21/20 7:38 PM
Thu 8/26/21 10:10 AM
Service Owner
This person is accountable for the overall performance of this service. This is not a support contact.
Service Review Date
Date of the most recent review of this service.