Shibboleth (Internet2)
Encyclopedia
Shibboleth is an Internet2
Internet2
Internet2 is an advanced not-for-profit US networking consortium led by members from the research and education communities, industry, and government....

 Middleware Initiative project that has created an architecture and open-source implementation for federated identity
Federated identity
A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems....

-based authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...

 and authorization
Authorization
Authorization is the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define access policy...

 infrastructure based on Security Assertion Markup Language (SAML). Federated identity allows for information about users in one security domain to be provided to other organizations in a federation. This allows for cross-domain single sign-on
Single sign-on
Single sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...

 and removes the need for content providers to maintain user names and passwords. Identity providers (IdPs) supply user information, while service providers (SPs) consume this information and give access to secure content.

The Joint Information Systems Committee
Joint Information Systems Committee
JISC is a United Kingdom non-departmental public body whose role is to support post-16 and higher education and research by providing leadership in the use of ICT in learning, teaching, research and administration...

 (JISC) has developed a video introduction to federated identity that references Shibboleth and covers many concepts central to its understanding.

History

The Shibboleth project was started in 2000 under the MACE working group to address problems in sharing resources between organizations with often wildly different authentication and authorization infrastructures. Architectural work was performed for over a year prior to any development. After an alpha, two betas, and two point releases were distributed to testing communities, Shibboleth 1.0 was released on July 1, 2003. Shibboleth 1.3 was released on August 26, 2005, with several point releases since then. Shibboleth 2.0 was released on March 19, 2008.

Shibboleth architecture

Shibboleth is a web-based technology that implements the , artifact, and attribute push profiles of SAML
SAML
Security Assertion Markup Language is an XML-based open standard for exchanging authentication and authorization data between security domains, that is, between an identity provider and a service provider...

, including both Identity Provider (IdP) and Service Provider (SP) components. Shibboleth 1.3 has its own technical overview, architectural document, and conformance document that build on top of the SAML 1.1 specifications.

Shibboleth 1.3

In the canonical use case:
  1. A user first accesses a resource hosted by a web server that has Shibboleth content protection enabled.
  2. The SP crafts a proprietary authentication request that is passed through the browser using URL query parameters to supply the requester's SAML entityID, the assertion consumption location, and optionally the end page to return the user to.
  3. The user is redirected to either their home IdP or a WAYF (Where Are You From) service, where they select their home IdP for further redirection.
  4. The user authenticates to an access control mechanism external to Shibboleth.
  5. Shibboleth generates a SAML 1.1 authentication assertion with a temporary "handle" contained within it. This handle allows the IdP to recognize a request about a particular browser user as corresponding to the principal that authenticated earlier.
  6. The user is POSTed to the assertion consumer service of the SP. The SP consumes the assertion and issues an AttributeQuery to the IdP's attribute service for attributes about that user, which may or may not include the user's identity.
  7. The IdP sends an attribute assertion containing trusted information about the user to the SP.
  8. The SP either makes an access control decision based on the attributes or supplies information to applications to make decisions themselves.


Shibboleth supports a number of variations on this base case, including portal-style flows whereby the IdP mints an unsolicited assertion to be delivered in the initial access to the SP, and lazy session initiation, which allows an application to trigger content protection through a method of its choice as required.

Shibboleth 1.3 and earlier do not provide a built-in authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...

 mechanism, but any web-based authentication mechanism can be used to supply user data for Shibboleth to use. Common systems for this purpose include CAS
Central Authentication Service
The Central Authentication Service is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials only once. It also allows web applications to authenticate users without gaining access to a user's security credentials,...

 or Pubcookie
Pubcookie
Pubcookie is a protocol and a software package for providing single sign-on within web applications and websites of an organization. An untrusted web application authenticates the end user against a trusted authentication server via a trusted login server. The Pubcookie software is open source and...

. The authentication/SSO features of the Java container in which the IdP runs (Tomcat, for example) can also be used.

Shibboleth 2.0

Shibboleth 2.0 builds on SAML 2.0
SAML 2.0
Security Assertion Markup Language 2.0 is a version of the SAML OASIS standard for exchanging authentication and authorization data between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal between an...

 standards. The IdP in Shibboleth 2.0 has to do additional processing in order to support passive and forced authentication requests in SAML 2.0. The SP can request a specific method of authentication from the IdP. Shibboleth 2.0 supports additional encryption capacity and sets a default session life of 30 minutes.

Attributes

Shibboleth's access control is performed by matching attributes supplied by IdPs against rules defined by SPs. An attribute is any atom of information about a user, such as "member of this community", "Alice Smith", or "licensed under contract A". User identity is considered an attribute, and is only passed when explicitly required, which preserves user privacy. Attributes can be written in Java or pulled from directories and databases. Standard X.520 attributes are most commonly used, but new attributes can be arbitrarily defined as long as they are understood and interpreted similarly by the IdP and SP in a transaction.

Trust

Trust between domains is implemented using public key cryptography (often simply SSL
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...

 server certificates) and metadata that describes providers. The use of information passed is controlled through agreements. Federations are often used to simplify these relationships by aggregating large numbers of providers that agree to use common rules and contracts.

Development

Shibboleth is open-source and provided under the Apache 2 license. Many extensions such as SHARPE and GridShib have been contributed by other groups.

Adoption

Federations have been formed in many countries around the world to build trust structures for the exchange of information using SAML
SAML
Security Assertion Markup Language is an XML-based open standard for exchanging authentication and authorization data between security domains, that is, between an identity provider and a service provider...

 and Shibboleth software. Many major content providers support Shibboleth-based access. Together, it is estimated that there are over 4 million students, staff, and faculty in the federations.

In February 2006 the Joint Information Systems Committee
Joint Information Systems Committee
JISC is a United Kingdom non-departmental public body whose role is to support post-16 and higher education and research by providing leadership in the use of ICT in learning, teaching, research and administration...

 (JISC) of the Higher Education Funding Council for England
Higher Education Funding Council for England
The Higher Education Funding Council for England is a non-departmental public body of the Department for Business, Innovation and Skills in the United Kingdom, which has been responsible for the distribution of funding to Universities and Colleges of Higher and Further Education in England since...

 announced that they will be moving from the Athens authentication system
Athens access and identity management
Athens is an Access and Identity Management service based in the United Kingdom that is supplied by Eduserv to provide single sign-on to protected resources combined with full user management capability...

 to an access-management system based on Shibboleth technology.
Since then they have updated their position and are endorsing a federated access management solution rather than Shibboleth itself.

External links


Federations

  • AAF, Australia
    Australia
    Australia , officially the Commonwealth of Australia, is a country in the Southern Hemisphere comprising the mainland of the Australian continent, the island of Tasmania, and numerous smaller islands in the Indian and Pacific Oceans. It is the world's sixth-largest country by total area...

  • ACOnet Identity Federation, Austria
    Austria
    Austria , officially the Republic of Austria , is a landlocked country of roughly 8.4 million people in Central Europe. It is bordered by the Czech Republic and Germany to the north, Slovakia and Hungary to the east, Slovenia and Italy to the south, and Switzerland and Liechtenstein to the...

  • K.U.Leuven, Belgium
    Belgium
    Belgium , officially the Kingdom of Belgium, is a federal state in Western Europe. It is a founding member of the European Union and hosts the EU's headquarters, and those of several other major international organisations such as NATO.Belgium is also a member of, or affiliated to, many...

  • CAFe, Brazil
    Brazil
    Brazil , officially the Federative Republic of Brazil , is the largest country in South America. It is the world's fifth largest country, both by geographical area and by population with over 192 million people...

  • Canadian Access Federation, Canada
    Canada
    Canada is a North American country consisting of ten provinces and three territories. Located in the northern part of the continent, it extends from the Atlantic Ocean in the east to the Pacific Ocean in the west, and northward into the Arctic Ocean...

  • CARSI, China
    People's Republic of China
    China , officially the People's Republic of China , is the most populous country in the world, with over 1.3 billion citizens. Located in East Asia, the country covers approximately 9.6 million square kilometres...

  • AAI@EduHr, Croatia
    Croatia
    Croatia , officially the Republic of Croatia , is a unitary democratic parliamentary republic in Europe at the crossroads of the Mitteleuropa, the Balkans, and the Mediterranean. Its capital and largest city is Zagreb. The country is divided into 20 counties and the city of Zagreb. Croatia covers ...

  • eduID.cz, Czech Republic
    Czech Republic
    The Czech Republic is a landlocked country in Central Europe. The country is bordered by Poland to the northeast, Slovakia to the east, Austria to the south, and Germany to the west and northwest....

  • WAYF, Denmark
    Denmark
    Denmark is a Scandinavian country in Northern Europe. The countries of Denmark and Greenland, as well as the Faroe Islands, constitute the Kingdom of Denmark . It is the southernmost of the Nordic countries, southwest of Sweden and south of Norway, and bordered to the south by Germany. Denmark...

  • Haka, Finland
    Finland
    Finland , officially the Republic of Finland, is a Nordic country situated in the Fennoscandian region of Northern Europe. It is bordered by Sweden in the west, Norway in the north and Russia in the east, while Estonia lies to its south across the Gulf of Finland.Around 5.4 million people reside...

  • RENATER, France
    France
    The French Republic , The French Republic , The French Republic , (commonly known as France , is a unitary semi-presidential republic in Western Europe with several overseas territories and islands located on other continents and in the Indian, Pacific, and Atlantic oceans. Metropolitan France...

  • DFN-AAI, Germany
    Germany
    Germany , officially the Federal Republic of Germany , is a federal parliamentary republic in Europe. The country consists of 16 states while the capital and largest city is Berlin. Germany covers an area of 357,021 km2 and has a largely temperate seasonal climate...

  • Greek Research and Technology Network Federation, Greece
    Greece
    Greece , officially the Hellenic Republic , and historically Hellas or the Republic of Greece in English, is a country in southeastern Europe....

  • Edugate Federated Access Management, Ireland
    Ireland
    Ireland is an island to the northwest of continental Europe. It is the third-largest island in Europe and the twentieth-largest island on Earth...

  • IDEM GARR, Italy
    Italy
    Italy , officially the Italian Republic languages]] under the European Charter for Regional or Minority Languages. In each of these, Italy's official name is as follows:;;;;;;;;), is a unitary parliamentary republic in South-Central Europe. To the north it borders France, Switzerland, Austria and...

  • Gakunin (学術認証フェデレーション,愛称:学認), Japan
    Japan
    Japan is an island nation in East Asia. Located in the Pacific Ocean, it lies to the east of the Sea of Japan, China, North Korea, South Korea and Russia, stretching from the Sea of Okhotsk in the north to the East China Sea and Taiwan in the south...

  • SURFfederatie, Netherlands
    Netherlands
    The Netherlands is a constituent country of the Kingdom of the Netherlands, located mainly in North-West Europe and with several islands in the Caribbean. Mainland Netherlands borders the North Sea to the north and west, Belgium to the south, and Germany to the east, and shares maritime borders...

  • KALMAR2, Nordic countries
    Nordic countries
    The Nordic countries make up a region in Northern Europe and the North Atlantic which consists of Denmark, Finland, Iceland, Norway and Sweden and their associated territories, the Faroe Islands, Greenland and Åland...

  • ArnesAAI, Slovenia
    Slovenia
    Slovenia , officially the Republic of Slovenia , is a country in Central and Southeastern Europe touching the Alps and bordering the Mediterranean. Slovenia borders Italy to the west, Croatia to the south and east, Hungary to the northeast, and Austria to the north, and also has a small portion of...

  • RedIRIS, Spain
    Spain
    Spain , officially the Kingdom of Spain languages]] under the European Charter for Regional or Minority Languages. In each of these, Spain's official name is as follows:;;;;;;), is a country and member state of the European Union located in southwestern Europe on the Iberian Peninsula...

  • SWAMID, Sweden
    Sweden
    Sweden , officially the Kingdom of Sweden , is a Nordic country on the Scandinavian Peninsula in Northern Europe. Sweden borders with Norway and Finland and is connected to Denmark by a bridge-tunnel across the Öresund....

  • SWITCHaai, Switzerland
    Switzerland
    Switzerland name of one of the Swiss cantons. ; ; ; or ), in its full name the Swiss Confederation , is a federal republic consisting of 26 cantons, with Bern as the seat of the federal authorities. The country is situated in Western Europe,Or Central Europe depending on the definition....

  • InCommon, USA
  • UK Access Management Federation for Education and Research, UK
    United Kingdom
    The United Kingdom of Great Britain and Northern IrelandIn the United Kingdom and Dependencies, other languages have been officially recognised as legitimate autochthonous languages under the European Charter for Regional or Minority Languages...

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK