- Shibboleth (Internet2)
Shibboleth is an
Internet2 [http://middleware.internet2.edu/ Middleware Initiative] project that has created an architecture and open-source implementation forfederated identity -basedauthentication andauthorization infrastructure based onSAML . Federated identity allows for information about users in one security domain to be provided to other organizations in a federation. This allows for cross-domainsingle sign-on and removes the need for content providers to maintain user names and passwords. Identity providers (IdPs) supply user information, while service providers (SPs) consume this information and gate access to secure content.JISC has developed a [http://www.jisc.ac.uk/whatwedo/themes/access_management/federation/animation video introduction to federated identity] that references Shibboleth and covers many concepts central to its understanding.
History
The Shibboleth project was started in 2000 under the MACE working group to address problems in sharing resources between organizations with often wildly different authentication and authorization infrastructures. Architectural work was performed for over a year prior to any development. After an alpha, two betas, and two point releases were distributed to testing communities, Shibboleth 1.0 was released on
July 1 ,2003 [cite mailing list
url=https://mail.internet2.edu/wws/arc/i2-news/2003-07/msg00000.html
last=Pollack
first=Michelle
title=I2-News: Internet2 Releases Privacy-Preserving Web Authorizing Software
date=2003-07-01
accessdate=2007-11-28 ] . Shibboleth 1.3 was released onAugust 26 ,2005 , with several point releases since then. Shibboleth 2.0 was released onMarch 19 ,2008 [cite web
url=http://shibboleth.internet2.edu/shib-v2.0.html
title=Shibboleth 2.0 Available ] .hibboleth 1.3 Architecture
Shibboleth is a web-based technology that implements the HTTP/POST, artifact, and attribute push profiles of
SAML , including both Identity Provider (IdP) and Service Provider (SP) components. Shibboleth 1.3 has its own technical overview [ cite web | url=http://shibboleth.internet2.edu/docs/draft-mace-shibboleth-tech-overview-latest.pdf
title=Shibboleth Architecture: Technical Overview
date=2005-06-08 | accessdate=2007-11-28 | coauthors= Scarvo, Tom; Cantor, Scott; Dors, Nathan ] , architectural document [ cite web
url=http://shibboleth.internet2.edu/docs/internet2-mace-shibboleth-arch-protocols-200509.pdf
title=Shibboleth Architecture: Protocols and Profiles | date=2005-09-10
accessdate=2007-11-28 ] , and conformance document [cite web
url=http://shibboleth.internet2.edu/docs/internet2-mace-shibboleth-arch-conformance-200509.pdf
title=Shibboleth Architecture: Conformance Requirements
date=2005-09-10 | accessdate=2007-11-28 | coauthors=Cantor, Scott; Morgan, RL "Bob"; Scarvo, Tom ] that build on top of the SAML 1.1 specifications.In the canonical use case:
# A user first accesses a resource hosted by a web server that has Shibboleth content protection enabled.
# The SP crafts a proprietary authentication request that is passed through the browser using URL query parameters to supply the requester's SAML entityID, the assertion consumption location, and optionally the end page to return the user to.
# The user is redirected to either their home IdP or a WAYF service, where they select their home IdP for further redirection.
# The user authenticates to an access control mechanism external to Shibboleth.
# Shibboleth generates a SAML 1.1 authentication assertion with a temporary "handle" contained within it. This handle allows the IdP to recognize a request about a particular browser user as corresponding to the principal that authenticated earlier.
# The user is POST'ed to the assertion consumer service of the SP. The SP consumes the assertion and issues an AttributeQuery to the IdP's attribute service for attributes about that user, which may or may not include the user's identity.
# The IdP sends an attribute assertion containing trusted information about the user to the SP.
# The SP either makes an access control decision based on the attributes or supplies information to applications to make decisions themselves.Shibboleth supports a number of variations on this base case, including portal-style flows whereby the IdP mints an unsolicited assertion to be delivered in the initial access to the SP, and lazy session initiation, which allows an application to trigger content protection through a method of its choice as required.
Shibboleth 1.3 and earlier do not provide a built-in
authentication mechanism, but any web-based authentication mechanism can be used to supply user data for Shibboleth to use. Common systems for this purpose include CAS orPubcookie . The authentication/SSO features of the Java container in which the IdP runs (Tomcat, for example), can also be used.Attributes
Shibboleth's access control is performed by matching attributes supplied by IdPs against rules defined by SPs. An attribute is any atom of information about a user, such as "member of this community", "Alice Smith", or "licensed under contract A". User identity is considered an attribute, and is only passed when explicitly required, which preserves user privacy. Attributes can be written in Java or pulled from directories and databases. Standard
X.520 attributes are most commonly used, but new attributes can be arbitrarily defined as long as they are understood and interpreted similarly by the IdP and SP in a transaction.Trust
Trust between domains is implemented using public key cryptography (often simply SSL server certificates) and metadata that describes providers. The use of information passed is controlled through agreements. Federations are often used to simplify these relationships by aggregating large numbers of providers that agree to use common rules and contracts.
Development
Shibboleth is open-source and provided under the Apache 2 license. Many extensions such as [http://federation.org.au/ShARPE SHARPE] and
GridShib have been contributed by other groups.Adoption
Federations have been formed in many countries around the world to build trust structures for the exchange of information using
SAML and Shibboleth software. Many major content providers support Shibboleth-based access. Together, it is estimated that there are over 4 million students, staff, and faculty in the federations.In February 2006 the
Joint Information Systems Committee (JISC) of theHigher Education Funding Council for England announced that they will be moving from the Athens authentication system to an access-management system based on Shibboleth technology. [cite web|url=http://www.jisc.ac.uk/shibboleth.html|title=JISC announces the development of a new access-management system for the UK|publisher=Joint Information Systems Committee |accessdate=2006-07-19] Since then they have updated their position and are endorsing a federated access management solution rather than Shibboleth itself.References
External links
* [http://shibboleth.internet2.edu Official Shibboleth home page]
* [https://spaces.internet2.edu/display/SHIB/WebHome Official Shibboleth Wiki]
* [http://testshib.org/ TestShib testing facility]Federations
* [http://www.aaf.edu.au/ AAF] ,
Australia
* [http://shib.kuleuven.be K.U.Leuven] ,Belgium
* [http://edupass.ca/ edupass.ca] ,Canada
* [http://shibboleth.edu.cn CARSI] , China
* [https://cztestfed.feld.cvut.cz/wiki/ czTestFed] ,Czech Republic
* [http://www.dk-aai.dk DK-AAI] ,Denmark
* [http://www.csc.fi/english/institutions/haka Haka] ,Finland
* [http://federation.cru.fr/index-en.html CRU] ,France
* [http://www.dfn.de/dienstleistungen/dfnaai/ DFN-AAI] ,Germany
* [http://federatie.surfnet.nl/cms/index.php?lang=en SURFfederatie] ,The Netherlands
* [http://www.swami.se/pub/jsp/polopoly.jsp?d=3483&a=11404 SWAMID] ,Sweden
* [http://www.switch.ch/aai/ SWITCHaai] ,Switzerland
* [http://www.incommonfederation.org/ InCommon] ,USA
* [http://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research] , UK
* [http://shibboleth.grnet.gr/ Greek Research and Technology Network Federation] , GreeceContent Providers
* [https://spaces.internet2.edu/pages/viewpage.action?pageId=11484 Shibboleth-Enabled Applications and Services]
* [http://www.sciencedirect.com/ Elsevier ScienceDirect]
* [http://www.jstor.com/ JSTOR]
* [http://channel8.msdn.com/ Microsoft DreamSpark]
* [http://universitytickets.com/ UniversityTickets]
Wikimedia Foundation. 2010.
