[Ext] RE: nelnet?

Bryan Wooten bryan.wooten at utah.edu
Fri Jul 20 09:10:46 EDT 2018

Thank you,

This insight is very helpful.


From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> on behalf of "Losen, Stephen C. (scl)" <scl at virginia.edu<mailto:scl at virginia.edu>>
Reply-To: "users at shibboleth.net<mailto:users at shibboleth.net>" <users at shibboleth.net<mailto:users at shibboleth.net>>
Date: Friday, July 20, 2018 at 5:41 AM
To: "users at shibboleth.net<mailto:users at shibboleth.net>" <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: [Ext] RE: nelnet?

WARNING: Stop. Think. Read. This is an external email.

Hi Bryan,

We use nelnet, but we are not using SAML (yet) for authentication to Peoplesoft.  Nelnet backchannel requests are always POSTs and all requests contain the nelnet username/password in the POST data.  Not sure if this nugget of info helps you at all.

We reverse proxy through a F5 bigip to Peoplesoft and we have an iRule that recognizes the nelnet host source IPs and examines the POST data for a valid nelnet username/password.  The iRule also uses a pattern match to restrict which URLs nelnet can request.  If all looks good to the iRule then it passes the request through to Peoplesoft, which independently checks the username/password in the POST data.

F5 supports SAML, so down the road we will likely set up SAML on the F5 and I hope that we can use an iRule or something to conditionally bypass SAML for nelnet requests, and continue to handle them as we do now.

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
scl at virginia.edu<mailto:scl at virginia.edu>    434-924-0640

From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Bryan Wooten
Sent: Thursday, July 19, 2018 7:50 PM
To: users at shibboleth.net<mailto:users at shibboleth.net>
Subject: nelnet?

Fellow Higher Ed folks,

Today I learned we are engaging nelnet.com. They are apparently  an Incommon member, so they do SAML and should understand Shib.

I spent an hour with one of our Peoplesoft system analysts trying to understand what nelnet expected.

And what I learned is that they wanted to make a call (think URL, not Restful/Webservice/SOAP) to one of our Peoplesoft content providers to get student loan/payment/parking/housing payment info. Backchannel. They provide the backend Peoplecode at the endpoint.

Via  a URL protected by our CAS SSO… Which is set up to work with people to enter credentials/MFA, not system accounts or anything web service related.

So I kindly ask for any experiences with this vendor and how I should proceed to make this project successful.

Best Regards,


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180720/a06435d4/attachment.html>

More information about the users mailing list