Good Practices

When using computers in the labs around campus, be sure that you protect your account by understanding how to fully log out of all applications.
Your internet ID and password are very powerful, granting access to everything from course assignments to financial aid.
Challenge We need an email address for our group and a Google Drive account to store our group’s documents.


As of February 2020, departmental accounts must either:
Try the troubleshooting tips below if you have read through the Duo
If you set your Duo authentication through your mobile device (such as a smartphone or tablet), you are encouraged to add a backup telephone number to your Duo authentication options in case you forget your mobile dev
Congratulations on your new phone!  Here's how to enroll it in Duo.  In this article:
Usernames and passwords are vulnerable to security breaches.
We strongly recommend enrolling at least 2 devices to ensure that you are able to access Duo at all times - even if you have lost your smartphone or are working somewhere with no cell service.
Duo hardware tokens are small fobs that generate passcodes and are used as part of two-factor authentication sign-in at the University.
Duo Security (two-factor authentication) is stronger than a password alone, because it uses two factors to confirm that you are who you say you are.  The first factor is something you know (your Inter
By November 2019, Duo will be required at sign-in for all UMN faculty, staff, student, sponsored, and POI accounts.  For instructions on setting up Duo, check the Duo 
In some situations, you may not be able to use a mobile device to authenticate. For instance:
There are two kinds of tokens that you can use as your Duo device:
You can authenticate with Duo using two types of tokens: Hardware tokens (first and second images below) and security keys (also called 'U2F tokens', third image below).
Lost Hardware Token Duo works with two types of tokens: U2F tokens (also referred to as 'security keys') and hardware tokens. This page describes what to do if your hardware token is lost or broken. 
There are various scenarios where you may need to remove a device from your Duo page in Self-Service:
Managers or supervisors with employees who have a business need to access databases and enterprise-level applications that use Duo must request access to those services (via an Access Request Form, or ARF).  When a fa
When any University employee (staff, faculty or student employee) or contractor ends their employment with the University, the supervisor needs to revoke access to any Enterprise systems
If you do not have your usual Duo device, use your backup device or your
If you have enrolled a landline to your Duo authentication method, you ca
Background China (Mainland/People's Republic of China) has implemented technologies to regulate the Internet domestically.
This article applies to international employees as well as traveling students, faculty, and staff. You can use Duo authentication when traveling internationally*, even without WiFi or cellular service.
After enrolling a mobile device to use for authentication, you have two ways to authentica
Anyone with a UMN Internet ID can use Duo two-factor authentication for all University sign-in pages.
Certain Departmental Pools and - as of January 4th, 2021 -  Full Tunnel VPN require Two Factor Authentication (2FA) through
If you have tried connecting to WiFi and are still having connectivity issues, do
If you have tried connecting to WiFi and are still having connectivity issues, downloading eduroam CAT (Conf
Have you tried everything and still can't connect to eduroam? Downloading the eduroam C
Visitors from eduroam-participating universities can obtain access t

Planned Changes

Stay secure and connected!
For Instructors Duo Security helps keep student data—like grades, assignments, and contact information—more secure. It also helps students protect their financial aid from theft.
Try the troubleshooting tips below if Duo isn't working for you. If you need additional assistance contact Technology Help 24/7.
Congratulations on your new phone! Learn how to reactivate, add, or remove phones with Duo.
Even if you have no access to WiFi or cellular service, you can still use Duo Security.
Duo’s "Remember Me" feature saves you time while keeping your information safe. It is like the "remember my computer" or "keep me logged in" options you may have seen on other websites.
You can use Duo authentication when traveling internationally, unless you are traveling to a U.S. embargoed country.


ExpirationWhen your certificate nears its expiration date, you will get email notifications of the impending expiration starting 30 days prior.
To accommodate browser vendors' plans to phase out support for SHA-1 signed certificates, InCommon has now made available certificates signed using the SHA-2 hash family.
Metadata We run a Shibboleth Identity Provider (IdP) for Single Sign On (i.e.
Departments may also sponsor an internet account for a University-affiliated individual, as long as that individual provides a service or function that directly impacts students, faculty, or staff.
A single SAML entityID can be used for many different servers, both physical and virtual.
An Entity ID is something that you choose as a SP. This page should help you choose a good entityId for your shibboleth configuration.
Once you have the Apache Shibboleth Module installed and configured, you can add Apache Auth directives to any appropriate content-control block ( <Directory>,<File>, <Location>) in your virtual host
OverviewIn this file you are telling Shibboleth a few key pieces of information so it knows how to authenticate your users. Those items are
If you've gotten this far, you have probably already chosen an Entity ID. If you have not, please see the Choosing your Shibboleth Entity ID topic.
Users agree to comply with the laws or regulations of the United States Department of Commerce, the United States Department of Treasury Foreign Assets Control, or any other applicable United States foreign agency or
This resource shows a world-wide map of locations where you can access eduroam.
This link goes to eduroam's official list of participating institutions. 
This four-minute video shows how to enroll a variety of devices, such as cell phones, for use with Duo two-factor authentication.
For an overview of the sequence of events during Shib authentication see: Understanding Shibboleth: How It A
For web-based single sign on, you should use Shibboleth authentication instead.
The InCommon certificate service allows for delegated administration, so designated people can submit and approve certificates for their department without intervention from OIT.
If you are logged into an application that uses the University's central Sign In page for authentication (pictured below) and you wish to use an additional application in the same browser, you will not be requir
Through the InCommon Federation, University of Minnesota researchers can access national research and scholarship applications and web services, such as virtual organizations and
Generate a Certificate Signing Request To request a certificate, first generate a Certificate Signing Request (CSR) on your web server.
Sometimes you may want to retrieve additional attributes about the user after the user authenticates.
Common Error MessagesUnable to locate metadata for identity provider (
Picking an entity IDIf you have not done so, please read Choosing your Shibboleth Entity ID
Official installation instructions are on the official Shib wiki.
DownloadFor now, please see the official Shib Wiki docs on Windows installation.
These are some of the important concepts and terminology used when talking about SAML or Shibboleth.
Understanding LogoutCurrently, Shibboleth doesn't support single logout (SLO), so the only way for a user to completely logout of all SP applications and the IDP server
(See also InCommon's Cert FAQ, which includes browser/device support lists.)
SSL certificate code to proceed to the enrollment form on the InCommon certificate enrollment site:
Web/System administrators who request SSL certificates can go here when having problems connecting to a certificate request page.
Meeting slides from the Email Technical Coordinators meetings, 2004-2008 are archived below. 
This one-minute video demonstrates how to use a push method on your mobile device to authenticate with Duo two-factor authentication.
Google APIs use the OAuth 2.0 protocol for authentication and authorization. Google supports common OAuth 2.0 scenarios such as those for web server, installed, and client-side applications.
The University uses a two-factor authentication system for users who need access to its enterprise-level applications, to ensure another level of security when working with sensitive data.

Self-Help Guides

Duo Security is the University's way of adding another layer of security to the information you access online.
Learn about Shibboleth, an open-source single sign-on infrastructure, and how to install and configure it.
Learn how Secure Sockets Layer (SSL) Certificates identify and encrypt digital communication. You can request SSL Certificates to protect data entered into your applications.