Single Sign-On (SSO) and Shibboleth Technical Specs

CITI offers Single Sign On (SSO) options for sites to allow their learners to login via their institutions' credentials. If you are unfamiliar with SSO, read a summary of its advantages. This page provides technical details about our standard implementations. 

Note that our recommended solution is via InCommon membership. InCommon members can elect a standard implementation at a lower price. We also support several non-InCommon implementation options as well, but at a higher implementation price. These include: G-Suite, Microsoft (O365, Azure, ADFS), Okta, SecureAuth, Shibboleth (non-InCommon), Simple SAMLPHP, and other standard SAML approaches. 

Note that all SSO implementations require payment of an annual maintenance fee in addition to the one-time implementation charge.

Contact the CITI Program Sales Department for options and pricing information. 

Getting Started

Shibboleth is an open source SOAP service that many institutions are adopting to make connecting identity providers (IdPs) to service providers (SPs) easier and more secure. In this case, CITI Program is the service provider. Organizations subscribing to CITI Program services are the identity providers for their learners and administrators.

We are currently registered with the federated identity provider InCommon.


Policies and Procedures

‚ÄčIf your organization wishes to connect its learners and administrators with CITI Program via a standard SSO method please contact our Support Services Group to create a ticket for your request. We will need your organization's Entity ID which can be found in the Metadata on your server hosting Shibboleth (\\(ServerName)\(shibboleth-folder)\var\cache\shibboleth) or on the InCommon Website.

To search InCommon, find your Institution, click on the Identity Provider link and copy the url into the request email. We also need an email address for the IT contact person who will be enabling Shibboleth for CITI Program on your server; and we need the contact information for the person in charge of matching already-existing CITI Program accounts and those of your institution.


Frequently Asked Questions

  • What are CITI's EntityIDs?
    • Development: entityID=
    • Production: entityID=
  • What is the cost for connecting?
    • The cost for a standard Shibboleth implementation for one institution (if your organization is a member of InCommon) is $500, plus an annual maintenance fee of $150. If you have multiple institutions against a single IdP to set up at the same time discounted rates may apply. Discounts can also apply if you decide to add an additional institution at a later date, against the same IdP. Contact the Sales Department for a quote.
    • If you are not a member of InCommon, but are using a standard method, the usual implementation charge is $1000. But the method must be confirmed as approved as standard.
    • If you need need special custom programming, such as for custom metadata attributes, there are also additional fees, based on the amount of programmer and administrative time involved in setting up and maintaining the configuration. Contact the Sales Department for a quote.
    • Additional services such as data cleanup -- for example, to match legacy records to the new SSO credentials -- also carry an additional fee.
  • What impact, if any, will the Shibboleth SSO have on the data loads of course completion scores that are pulled nightly from the CITI database to our employee record system?
    • They will generally be much more accurate, relying on information sent as part of the SSO login rather than user's own data entry (which often contain unintended errors). Other fields remain untouched. Identification can use the inaccessible SSO Institution User ID (eduPersonPrincipalName EPPN [EmployeeID]@[Institution].edu) Shibboleth sends it direct from the institution it is saved on that learners record for the reports. 
  • How does the interface handle the matching when a member logs in?
    • The interface tries to match the Institution ID + Institution User Name. If no match is found it allows them to self match by logging into CITI with CITI Credentials or create a new account.
  • How are members that are no longer affiliated with our institution affected by SSO?
    • Members can always log in via their CITI credentials (Username & Password on the CITI homepage). Institutional administrators also may remove members from their institution as needed. The members still retain access to their completions under the institution if they are unaffiliated.


You can learn more about Shibboleth here:

You can find more about InCommon here:

Requested Attributes

persistentID  urn:oid: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

Required Attributes

eppn urn:mace:dir:attribute-def:eduPersonPrincipalName urn:oid:
sn urn:mace:dir:attribute-def:sn urn:oid:
givenName urn:mace:dir:attribute-def:givenName urn:oid:
mail urn:mace:dir:attribute-def:mail urn:oid:0.9.2342.19200300.100.1.3


Optional Attributes

eduPersonScopedAffiliation  urn:mace:dir:attribute-def:eduPersonScopedAffiliation urn:oid:
eduPersonAffiliation urn:mace:dir:attribute-def:eduPersonAffiliation urn:oid:
displayName urn:mace:dir:attribute-def:displayName urn:oid:2.16.840.1.113730.3.1.241
studentNumber urn:mace:dir:attribute-def:studentNumber urn:oid:
employeeNumber urn:mace:dir:attribute-def:employeeNumber urn:oid:2.16.840.1.113730.3.1.3
telephoneNumber urn:mace:dir:attribute-def:telephoneNumber urn:oid:

For more information on attributes see eduPerson Object Class Specification‚Äč

Identity Management Attribute Information


Attribute: eppn
Name: eduPersonPrincipalName
Use: required
Description: The "NetID" of the person for the purposes of inter-institutional authentication. Should be stored in the form of, where is the name of the local security domain.
SAML 1: urn:mace:dir:attribute-def:eduPersonPrincipalName
SAML 2: urn:oid:
Max Length: 128


Attribute: sn
Name: Surname
Use: required
Description: This is the X.500 surname attribute, which contains the family name of a person.
SAML 1: urn:mace:dir:attribute-def:sn
SAML 2: urn:oid:
Max Length: 30


Attribute: givenName
Name: givenName
Use: required
Description: The givenName attribute is used to hold the part of a person's name which is not their surname nor middle name.
SAML 1: urn:mace:dir:attribute-def:givenName
SAML 2: urn:oid:
Max Length: 20


Attribute: mail
Name: mail
Use: required
Description: The mail attribute type specifies an electronic mailbox attribute following the syntax specified in RFC 822. Note that this attribute should not be used for greybook or other non-Internet order mailboxes.
SAML 1: urn:mace:dir:attribute-def:mail
SAML 2: urn:oid:0.9.2342.19200300.100.1.3
Max Length: 64


Attribute: eduPersonScopedAffiliation
Name: eduPersonPrimaryAffiliation
Use: optional
Description: Specifies the person's PRIMARY relationship(s) to the institution in broad categories such as student, faculty, staff, alum, etc.
SAML 1: urn:mace:dir:attribute-def:eduPersonScopedAffiliation
SAML 2: urn:oid:


Attribute: eduPersonAffiliation
Name: eduPersonAffiliation
Use: optional
Description: Specifies the person's SECONDARY relationship(s) to the institution in broad categories such as student, faculty, staff, alum, etc. see 2.2.1 for more details This field can also accept the CITI Program InstitutionID if your Institution has more than one institution and only one EntityID for InCommon. Please contact us if you wish to use this attribute in this way. There will be an additional charge for set up.
SAML 1: urn:mace:dir:attribute-def:eduPersonAffiliation
SAML 2: urn:oid:


Attribute: displayName
Name: displayName
Use: optional
Description: The name(s) that should appear in white-pages-like applications for this person.
SAML 1: urn:mace:dir:attribute-def:displayName
SAML 2: urn:oid:2.16.840.1.113730.3.1.241
Max Length: 60


Attribute: studentNumber
Name: studentNumber
Use: optional
Description: Alternate ID which automatically stores in customAttrib1.
SAML 1: urn:mace:dir:attribute-def:studentNumber
SAML 2: urn:oid:
Max Length: 50


Attribute: employeeNumber
Name: employeeNumber
Use: optional
Description: Alternate ID which automatically stores in customAttrib2.
SAML 1: urn:mace:dir:attribute-def:employeeNumber
SAML 2: urn:oid:2.16.840.1.113730.3.1.3
Max Length: 50


Attribute: telephoneNumber
Name: telephoneNumber
Use: optional
Description: Office/campus phone number. Attribute values should follow the agreed format for international telephone numbers: i.e., "+44 71 123 4567."
SAML 1: urn:mace:dir:attribute-def:telephoneNumber
SAML 2: urn:oid:
Max Length: 25


Last Updated: 18-Jun-2019 10:03 a.m. EDT
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found